justina colmena wrote:
On Wednesday, March 7, 2018 2:26:14 PM AKST m.roth(a)5-cent.us wrote:
> Stephen Smalley wrote:
>
> > On 03/07/2018 03:18 PM, m.roth(a)5-cent.us wrote:
> >
> >> CentUS 7.4
> >> ...
> >> From sealert:
> >> SELinux is preventing /usr/sbin/sshd from read access on the file
> >> /etc/ssh/moduli.
> >> Except:
> >> ls -laFZ /etc/ssh/moduli
> >> -rw-r--r--. root root system:object_r:etc_t:s0
> /etc/ssh/moduli
> > ...
> > NB: You have "system" rather than "system_u" above, unless
that's a
> typo.
> > Which would be an invalid user identity, and thus an invalid security
> > context, and therefore mapped to the unlabeled context at runtime.
CentUS or CentOS? "system" or "system_u"? Am I to be amused?
Sorry, typo. We're currently overwhelmed, due to an environmental
incident, and I'm exhausted.
This is frustrating. This sort of thing is typical of a hacked system, and
for us ordinary users, there is no sane SELinux policy development taking
place. A lot of these security labels can easily, freely, and
arbitrarily be
changed by ordinary users with the "chcon" command, there
is a lot of
covert
resistance to locking things down any further or fixing persistent
security
problems, and SELinux has never really moved beyond the philosophy of
# touch /.autorelabel && reboot
Which requires rebooting the system, and for a filesystem of any real
size, means waiting for-bloody-ever.
I think it gets system if you copy it without copying the selinux label....
mark