Hello,
I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
sysop@access sysop $ newrole -r sysadm_r
Authenticating sysop.
Password:
newrole: incorrect password for sysop
sysop@access sysop $ su -
Password:
su: Authentication failure
Sorry.
Is this the normal behavior of the policy or have i done something wrong?
How can i change this behavior if all is right?
I have tried a different default_contexts file, but the behavior did not change.
I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.
Some settings:
access policy # uname -a
Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
users:
# seuser
# This file created automatically by seuser on Thu Jul 29 14:52:17 2004
#
# user file
user system_u roles { system_r } ;
user user_u roles { user_r } ;
user root roles { sysadm_r staff_r } ;
user sysop roles { sysadm_r staff_r } ;
user sudevel roles { staff_r user_r } ;
user test roles { user_r staff_r } ;
user operator roles { user_r staff_r };
default_contexts:
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sudo_t sysadm_r:sysadm_t
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t
sestatus -v:
access security # sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Thank you for any help.
Mit freundlichen Grüßen
Peter Büttner
-------------------------------------------------
Personal WLAN GmbH http://www.personalwlan.de
Große Elbstraße 145a
22767 Hamburg
Tel.: 040/888855-25
Fax : 040/888855-55
Mail: pb@personalwlan.de
-------------------------------------------------
--
gentoo-hardened@gentoo.org mailing list
I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
sysop@access sysop $ newrole -r sysadm_r
Authenticating sysop.
Password:
newrole: incorrect password for sysop
sysop@access sysop $ su -
Password:
su: Authentication failure
Sorry.
Is this the normal behavior of the policy or have i done something wrong?
How can i change this behavior if all is right?
I have tried a different default_contexts file, but the behavior did not change.
I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.
Some settings:
access policy # uname -a
Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
users:
# seuser
# This file created automatically by seuser on Thu Jul 29 14:52:17 2004
#
# user file
user system_u roles { system_r } ;
user user_u roles { user_r } ;
user root roles { sysadm_r staff_r } ;
user sysop roles { sysadm_r staff_r } ;
user sudevel roles { staff_r user_r } ;
user test roles { user_r staff_r } ;
user operator roles { user_r staff_r };
default_contexts:
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sudo_t sysadm_r:sysadm_t
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t
sestatus -v:
access security # sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Thank you for any help.
Mit freundlichen Grüßen
Peter Büttner
-------------------------------------------------
Personal WLAN GmbH http://www.personalwlan.de
Große Elbstraße 145a
22767 Hamburg
Tel.: 040/888855-25
Fax : 040/888855-55
Mail: pb@personalwlan.de
-------------------------------------------------
--
gentoo-hardened@gentoo.org mailing list