sshd_t & guest_t - Boolean suggestion

Jorge Fábregas jorge.fabregas at gmail.com
Thu Dec 23 19:18:18 UTC 2010


On Thursday, December 23, 2010 03:09:11 pm Daniel J Walsh wrote:
> Theoretically we have this.
> 
> unconfined_login               -> on    Allow a user to login as an
> unconfined domain
> 
> (Not sure it works.

I didn't know that one but it seems it's not working on Fedora 12 (I'll switch 
to Fedora 14 soon I know :)

After doing: setsebool unconfined_login off
..and then tried to connect (as a regular unconfined user),  pstree shows:

 |-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
 |  `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
 |     `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
 |        `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')

... it transitioned into unconfined_t .so the boolean is not working here.

> Well one thing you could try is to disable the unconfineduser policy
> package,   This would eliminate the unconfined_t from your system
> altogether.
> 
> Then you would have to setup the admin (root) to log in as sysadm_t.

I'll check into this.  Never used sysadm_t before.

Thanks,
Jorge


More information about the selinux mailing list