sshd_t & guest_t - Boolean suggestion

Dominick Grift domg472 at gmail.com
Thu Dec 23 21:21:00 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/2010 08:18 PM, Jorge Fábregas wrote:
> On Thursday, December 23, 2010 03:09:11 pm Daniel J Walsh wrote:
>> Theoretically we have this.
>>
>> unconfined_login               -> on    Allow a user to login as an
>> unconfined domain
>>
>> (Not sure it works.
> 
> I didn't know that one but it seems it's not working on Fedora 12 (I'll switch 
> to Fedora 14 soon I know :)
> 
> After doing: setsebool unconfined_login off
> ..and then tried to connect (as a regular unconfined user),  pstree shows:
> 
>  |-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
>  |  `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
>  |     `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023')
>  |        `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
> 
> ... it transitioned into unconfined_t .so the boolean is not working here.
> 
>> Well one thing you could try is to disable the unconfineduser policy
>> package,   This would eliminate the unconfined_t from your system
>> altogether.
>>
>> Then you would have to setup the admin (root) to log in as sysadm_t.
> 
> I'll check into this.  Never used sysadm_t before.

i went a bit further in my personal policy and combined to unconfined
and sysadm login:

 [dgrift at localhost Desktop]$ ssh dgrift/sysadm_r at localhost
 WARNING!!! You have accessed a private network.
 UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
 Violators may be prosecuted to the full extend of the law.
 Your access to this network may be monitored and recorded for quality
 assurance, security, performance, and maintenance purposes.

 /bin/bash: Permission denied
 Connection to localhost closed.

 [root at localhost Desktop]$ getsebool -a | grep ssh_all
 ssh_all_login_users --> off

So with ssh_all_login_users set to on, all login users (including sysadm
and unconfined) are able to login. If set to off then "privileged" users
cannot log in with sshd (sysadm and unconfined)

  242 tunable_policy(`ssh_all_login_users',`
  243         # Relabel and access ptys created by sshd
  244         # ioctl is necessary for logout() processing for utmp
entry and for w to
  245         # display the tty.
  246         # some versions of sshd on the new SE Linux require setattr
  247         userdom_spec_domtrans_all_users(sshd_t)
  248         userdom_signal_all_users(sshd_t)
  249 ',`
  250         userdom_spec_domtrans_unpriv_users(sshd_t)
  251         userdom_signal_unpriv_users(sshd_t)
  252 ')

http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=policy/modules/services/ssh.te;h=cef1cad73fbf4b79e2418cbc4dc07123e311e200;hb=HEAD

Not sure why i have not implemented the same for xdm though. I should
look into that.

> Thanks,
> Jorge
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0TvTwACgkQMlxVo39jgT+d3ACgmuYmn3bBJXPAVbsuX0AdPHFP
Ft0AoKYE2ikk/VTkbIVHzWmb+X5kFEUy
=Qp/Q
-----END PGP SIGNATURE-----

More information about the selinux mailing list