Hi,

I converted my Gentoo installation to SELinux according to the manual (hardened-kernel-2.6.22-r3, targeted). When I login as root with ssh and public key auth, my active context is "root:sysadm_r:system_chkpwd_t". In order to get full access, I have to do "newrole -r sysadm_r -t sysadm_t", which changes me to context "root:sysadm_r:unconfined_t".

Is there a way to have my shell directly enter this context, so I dont have to do the "newrole" and enter my root password?

In the archive I found that adding this to the local policy could help, but it did not work:

require {
       type sshd_t;
}
unconfined_shell_domtrans(sshd_t);

Regards,
Jochen

sestatus -v:
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                root:sysadm_r:system_chkpwd_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:
Controlling term:               root:object_r:sshd_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:initrc_exec_t
/sbin/runscript.sh              system_u:object_r:initrc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/usr/sbin/unix_chkpwd           system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t


--
[EMAIL PROTECTED] mailing list

Reply via email to