hi guys,
cannot get it to work - shellinabox - not being programmer nor selinux sorcerer.
shellinabox via apache, when I ausearch it all I get is:
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition;
I have shellinabox in Apache's:
<Location /cmd> AuthType Basic AuthName "some more" AuthBasicProvider PAM AuthPAMService rstudio Require valid-user #Require all granted ProxyPass http://localhost:4200/ </Location>
using:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox just too poor design?
many thanks, L.
On Mon, 11 Jun 2018 18:25:08 +0100 lejeczek peljasz@yahoo.co.uk wrote:
hi guys,
cannot get it to work - shellinabox - not being programmer nor selinux sorcerer.
shellinabox via apache, when I ausearch it all I get is:
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition;
I have shellinabox in Apache's:
<Location /cmd> AuthType Basic AuthName "some more" AuthBasicProvider PAM AuthPAMService rstudio Require valid-user #Require all granted ProxyPass http://localhost:4200/
</Location>
using:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox just too poor design?
Strange. shellinabox is working for me on Fedora 27.
What's the context of /usr/bin/bash on your system?
$ ls -lZ /usr/bin/bash -rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb 13 14:08 /usr/bin/bash
If it's not shell_exec_t, the advice given in the error message you saw should fix it.
Paul.
On 06/12/2018 04:02 AM, Paul Howarth wrote:
ls -lZ /usr/bin/bash -rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb 13 14:08 /usr/bin/bash
I do not have a problem, but just for laughs, I tried the above. Red Hat Enterprise Linux Server release 6.9 (Santiago) $ uname -r 2.6.32-696.30.1.el6.x86_64
$ ls -lZ /usr/bin/bash ls: cannot access /usr/bin/bash: No such file or directory $ whereis bash bash: /bin/bash /usr/share/man/man1/bash.1.gz $ ls -lZ /bin/bash -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash $ ls -l /bin/bash -rwxr-xr-x. 1 root root 942200 Feb 15 2017 /bin/bash
Anybody on Centos 7.5?
Is it really healthy to:
allow unconfined_service_t unconfined_t:process transition;
?
On 06/12/2018 04:02 AM, Paul Howarth wrote:
ls -lZ /usr/bin/bash -rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb 13 14:08 /usr/bin/bash
I do not have a problem, but just for laughs, I tried the above. Red Hat Enterprise Linux Server release 6.9 (Santiago) $ uname -r 2.6.32-696.30.1.el6.x86_64
$ ls -lZ /usr/bin/bash ls: cannot access /usr/bin/bash: No such file or directory $ whereis bash bash: /bin/bash /usr/share/man/man1/bash.1.gz $ ls -lZ /bin/bash -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash $ ls -l /bin/bash -rwxr-xr-x. 1 root root 942200 Feb 15 2017 /bin/bash
On 12/06/18 09:02, Paul Howarth wrote:
On Mon, 11 Jun 2018 18:25:08 +0100 lejeczek peljasz@yahoo.co.uk wrote:
hi guys,
cannot get it to work - shellinabox - not being programmer nor selinux sorcerer.
shellinabox via apache, when I ausearch it all I get is:
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition;
I have shellinabox in Apache's:
<Location /cmd> AuthType Basic AuthName "some more" AuthBasicProvider PAM AuthPAMService rstudio Require valid-user #Require all granted ProxyPass http://localhost:4200/
</Location>
using:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox just too poor design?
Strange. shellinabox is working for me on Fedora 27.
What's the context of /usr/bin/bash on your system?
$ ls -lZ /usr/bin/bash -rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb 13 14:08 /usr/bin/bash
If it's not shell_exec_t, the advice given in the error message you saw should fix it.
Paul. _______________________________________________
I should have maybe mentioned that I'm on Centos 7.5
$ ll -Z /usr/bin/bash -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash $ ll -Z /usr/sbin/shellinaboxd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/shellinaboxd ☩ WHALE 49 ~]$ ll -Z /usr/bin/bash
I think problems is here, it's how systemd does the service: $ ps -FZp 2909167 --cols 999 LABEL UID PID PPID C SZ RSS PSR STIME TTY TIME CMD system_u:system_r:unconfined_service_t:s0 shellin+ 2909167 1 0 10785 2740 7 Jun11 ? 00:00:00 /usr/sbin/shellinaboxd -u shellinabox -g shellinabox --cert=/var/lib/shellinabox --port=4200 --localhost-only --disable-ssl
selinux@lists.fedoraproject.org
-
Jean-David Beyer -
lejeczek -
Paul Howarth