Hello again,
If all my SSH users are "guest_u" users (guest_t domain) and there won't be any admin connecting to the machine...wouldn't it be great to remove the capability sshd_t has in transitioning into unconfined_t? ...by means of a boolean?
Thanks, Jorge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/23/2010 02:00 PM, Jorge Fábregas wrote:
Hello again,
If all my SSH users are "guest_u" users (guest_t domain) and there won't be any admin connecting to the machine...wouldn't it be great to remove the capability sshd_t has in transitioning into unconfined_t? ...by means of a boolean?
Thanks, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Theoretically we have this.
unconfined_login -> on Allow a user to login as an unconfined domain
(Not sure it works.
Well one thing you could try is to disable the unconfineduser policy package, This would eliminate the unconfined_t from your system altogether.
Then you would have to setup the admin (root) to log in as sysadm_t.
On Thursday, December 23, 2010 03:09:11 pm Daniel J Walsh wrote:
Theoretically we have this.
unconfined_login -> on Allow a user to login as an unconfined domain
(Not sure it works.
I didn't know that one but it seems it's not working on Fedora 12 (I'll switch to Fedora 14 soon I know :)
After doing: setsebool unconfined_login off ..and then tried to connect (as a regular unconfined user), pstree shows:
|-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
... it transitioned into unconfined_t .so the boolean is not working here.
Well one thing you could try is to disable the unconfineduser policy package, This would eliminate the unconfined_t from your system altogether.
Then you would have to setup the admin (root) to log in as sysadm_t.
I'll check into this. Never used sysadm_t before.
Thanks, Jorge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/23/2010 08:18 PM, Jorge Fábregas wrote:
On Thursday, December 23, 2010 03:09:11 pm Daniel J Walsh wrote:
Theoretically we have this.
unconfined_login -> on Allow a user to login as an unconfined domain
(Not sure it works.
I didn't know that one but it seems it's not working on Fedora 12 (I'll switch to Fedora 14 soon I know :)
After doing: setsebool unconfined_login off ..and then tried to connect (as a regular unconfined user), pstree shows:
|-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-sshd(`unconfined_u:system_r:sshd_t:s0-s0:c0.c1023') | `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
... it transitioned into unconfined_t .so the boolean is not working here.
Well one thing you could try is to disable the unconfineduser policy package, This would eliminate the unconfined_t from your system altogether.
Then you would have to setup the admin (root) to log in as sysadm_t.
I'll check into this. Never used sysadm_t before.
i went a bit further in my personal policy and combined to unconfined and sysadm login:
[dgrift@localhost Desktop]$ ssh dgrift/sysadm_r@localhost WARNING!!! You have accessed a private network. UNAUTHORIZED ACCESS IS PROHIBITED BY LAW Violators may be prosecuted to the full extend of the law. Your access to this network may be monitored and recorded for quality assurance, security, performance, and maintenance purposes.
/bin/bash: Permission denied Connection to localhost closed.
[root@localhost Desktop]$ getsebool -a | grep ssh_all ssh_all_login_users --> off
So with ssh_all_login_users set to on, all login users (including sysadm and unconfined) are able to login. If set to off then "privileged" users cannot log in with sshd (sysadm and unconfined)
242 tunable_policy(`ssh_all_login_users',` 243 # Relabel and access ptys created by sshd 244 # ioctl is necessary for logout() processing for utmp entry and for w to 245 # display the tty. 246 # some versions of sshd on the new SE Linux require setattr 247 userdom_spec_domtrans_all_users(sshd_t) 248 userdom_signal_all_users(sshd_t) 249 ',` 250 userdom_spec_domtrans_unpriv_users(sshd_t) 251 userdom_signal_unpriv_users(sshd_t) 252 ')
http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=blob;f=p...
Not sure why i have not implemented the same for xdm though. I should look into that.
Thanks, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org