On Wednesday, March 7, 2018 2:26:14 PM AKST m.roth(a)5-cent.us wrote:
Stephen Smalley wrote:
> On 03/07/2018 03:18 PM, m.roth(a)5-cent.us wrote:
>
>> CentUS 7.4
>> ...
>> From sealert:
>> SELinux is preventing /usr/sbin/sshd from read access on the file
>> /etc/ssh/moduli.
>> Except:
>> ls -laFZ /etc/ssh/moduli
>> -rw-r--r--. root root system:object_r:etc_t:s0 /etc/ssh/moduli
> ...
> NB: You have "system" rather than "system_u" above, unless
that's a typo.
> Which would be an invalid user identity, and thus an invalid security
> context, and therefore mapped to the unlabeled context at runtime.
CentUS or CentOS? "system" or "system_u"? Am I to be amused?
This is frustrating. This sort of thing is typical of a hacked system, and for
us ordinary users, there is no sane SELinux policy development taking place. A
lot of these security labels can easily, freely, and arbitrarily be changed by
ordinary users with the "chcon" command, there is a lot of covert resistance
to locking things down any further or fixing persistent security problems, and
SELinux has never really moved beyond the philosophy of
# touch /.autorelabel && reboot