Summary: | =sec-policy/selinux-*-9999 blocks ssh as user | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alex Brandt (RETIRED) <alunduil> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r6 | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
/etc/ssh/sshd_config
/etc/ssh/ssh_config |
Description
Alex Brandt (RETIRED)
2012-10-06 18:15:59 UTC
Can you (safely ;) show the ssh client & server configuration? I can't reproduce this, and the "Auto configuration failed" message seems somewhat weird. Not that I don't think it's needed, but I'd like to know when it is needed in case I have to "defend" it upstream. It's a mostly stock set of configs (I've attached them for your review). I'm not sure why it's auto-configuring either. Like I said this is pretty stock. Let me know if the configs help or if you need anything else. These are the configs from the system I'm SSH'ing _from_ (the one exhibiting this behavior). Created attachment 325842 [details]
/etc/ssh/sshd_config
Created attachment 325844 [details]
/etc/ssh/ssh_config
So it's because (open)ssh links with libcrypto, offered by openssl. And that part wants to read the openssl.cnf file. Upstreamed: http://oss.tresys.com/pipermail/refpolicy/2012-October/005845.html Cause of the failure is a commit from the Debian folks to label /etc/ssl as cert_t completely (whereas it previously was etc_t). Two ways can be used to handle this. (1.) Allow ssh_t to read generic certificates, as you suggested. Since it is because ssh linked with libcrypto, this is not a weird suggestion, and imo doesn't impact security. (2.) Label /etc/ssl and /etc/ssl/openssl.cnf as etc_t, and use cert_t for /etc/ssl/certs* and other I submitted the first one upstream, but if the second option is better we'll use that. Well, upstream found that openssl.cnf should remain etc_t, but the second patch on that hasn't been committed upstream (just silence). I assume it'll be done though, so I already committed it to our repository. Should be in the live ebuilds available already, and in r6 when it comes out. In hardened-dev, r6 release In main tree, ~arch'ed |