selinux-policy-strict seems to fail with allowing remote access to the sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package collections disabled for a minimal system in the installer, installed the necessary tools for selinux and the strict policy and enabled it. Installed sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced mode, and try to ssh from the LAN, I get avc messages because of denied access ("permission denied" after entering the password on the client). I tried to make a module for allowing it but I get assertions when installing the modules.
#######################################################
[root@area51 sshd]# cat MYsshd.te module MYsshd 1.0;
require { type staff_t; type user_home_dir_t; type sshd_t; class file { write ioctl }; class capability { audit_control audit_write }; class netlink_audit_socket { create nlmsg_relay write read }; }
#============= sshd_t ============== allow sshd_t self:capability { audit_control audit_write }; allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write };
#============= staff_t ============= allow staff_t user_home_dir_t:file { write ioctl };
-------------------------------------------------------
[root@area51 sshd]# semodule -i MYsshd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
#######################################################
cat /var/log/messages | audit2allow -M MYautogen semodule -i MYautogen.pp
-------------------------------------------------------
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t security_t:security { load_policy }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { sys_module }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { read }; libsepol.check_assertions: 16 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
On Wed, 2007-06-06 at 00:48 +0200, Paul S wrote:
selinux-policy-strict seems to fail with allowing remote access to the sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package collections disabled for a minimal system in the installer, installed the necessary tools for selinux and the strict policy and enabled it. Installed sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced mode, and try to ssh from the LAN, I get avc messages because of denied access ("permission denied" after entering the password on the client). I tried to make a module for allowing it but I get assertions when installing the modules.
Already reported, try updating to latest policy. Or add: require { attribute can_set_loginuid; attribute can_send_audit_msg; } typeattribute sshd_t can_set_loginuid, can_send_audit_msg; to your .te file.
#######################################################
[root@area51 sshd]# cat MYsshd.te module MYsshd 1.0;
require { type staff_t; type user_home_dir_t; type sshd_t; class file { write ioctl }; class capability { audit_control audit_write }; class netlink_audit_socket { create nlmsg_relay write read }; }
#============= sshd_t ============== allow sshd_t self:capability { audit_control audit_write }; allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write };
#============= staff_t ============= allow staff_t user_home_dir_t:file { write ioctl };
[root@area51 sshd]# semodule -i MYsshd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
#######################################################
cat /var/log/messages | audit2allow -M MYautogen semodule -i MYautogen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t security_t:security { load_policy }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { sys_module }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { read }; libsepol.check_assertions: 16 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Paul Sipot -
Stephen Smalley