Re: Preview of changes to the Security susbystem for 2.6.36

From: Valdis . Kletnieks
Date: Wed Aug 04 2010 - 02:19:58 EST

Next message: Dmitry Torokhov: "Re: [git pull] Input updates for 2.6.34-rc6"
Previous message: Viresh KUMAR: "[PATCH V2] Watchdog: Adding support for ARM Primecell SP805 Watchdog"
In reply to: Tetsuo Handa: "Re: Preview of changes to the Security susbystem for 2.6.36"
Next in thread: Tetsuo Handa: "Re: Preview of changes to the Security susbystem for 2.6.36"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 04 Aug 2010 12:54:32 +0900, Tetsuo Handa said:

> # killall -KILL sshd
> # /usr/sbin/sshd -o 'Banner /etc/shadow'
> # ssh localhost

I am unable to replicate this behavior on my system with SELinux set to
enforcing mode. However, it does happen (which is to be expected) when SELinux
is set to permissive mode.

% rpm -q openssh selinux-policy-mls
openssh-5.5p1-18.fc14.x86_64
selinux-policy-mls-3.8.8-8.fc14.noarch

Tested by by trying both /etc/issue and /etc/shadow as banner files - in permissive
mode, both files would be displayed. In enforcing mode, /etc/issue would show
up and /etc/shadow would not. In addition, checking of the actual policy
source for ssh shows no entry for auth_read_shadow() for sshd_t, although it is
present for many other systemd daemons that have a need to read it. So in
enforcing mode, there's no rule allowing sshd to open /etc/shadow, so it won't
open.

Are you sure you weren't running in permissive mode when you tested this?

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Dmitry Torokhov: "Re: [git pull] Input updates for 2.6.34-rc6"
Previous message: Viresh KUMAR: "[PATCH V2] Watchdog: Adding support for ARM Primecell SP805 Watchdog"
In reply to: Tetsuo Handa: "Re: Preview of changes to the Security susbystem for 2.6.36"
Next in thread: Tetsuo Handa: "Re: Preview of changes to the Security susbystem for 2.6.36"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]