Hi All,
I work on a diskless system with RHEL5 beta i386. As long as selinux
is enabled, I cann't log in system and it always tell me "/bin/bash:
Permission denied".
[EMAIL PROTECTED] /]# ssh e326n01
Last login: Fri Oct 20 14:29:04 2006 from xblade10.clusters.com-admin
/bin/bash: Permission denied
Connection to e326n01 closed.
After change selinux config into permissive mode, I got the following details:
[EMAIL PROTECTED] /]# id -Z
root:system_r:hotplug_t:s0-s0:c0.c255
[EMAIL PROTECTED] /]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: root:system_r:hotplug_t:s0-s0:c0.c255
Init context: system_u:system_r:kernel_t:s0
/sbin/mingetty system_u:system_r:kernel_t:s0
/sbin/agetty system_u:system_r:kernel_t:s0
/usr/sbin/sshd system_u:system_r:kernel_t:s0
File contexts:
Controlling term: root:object_r:devpts_t:s0
/etc/passwd system_u:object_r:tmpfs_t:s0
/etc/shadow system_u:object_r:tmpfs_t:s0
/bin/bash system_u:object_r:tmpfs_t:s0
/bin/login system_u:object_r:tmpfs_t:s0
/bin/sh system_u:object_r:tmpfs_t:s0 ->
system_u:object_r:tmpfs_t:s0
/sbin/agetty system_u:object_r:tmpfs_t:s0
/sbin/init system_u:object_r:tmpfs_t:s0
/sbin/mingetty system_u:object_r:tmpfs_t:s0
/usr/sbin/sshd system_u:object_r:tmpfs_t:s0
/lib/libc.so.6 system_u:object_r:tmpfs_t:s0 ->
system_u:object_r:tmpfs_t:s0
/lib/ld-linux.so.2 system_u:object_r:tmpfs_t:s0 ->
system_u:object_r:tmpfs_t:s0
[EMAIL PROTECTED] /]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Policy booleans:
NetworkManager_disable_trans off
allow_cvs_read_shadow off
allow_execheap off
allow_execmem off
allow_execmod off
allow_execstack on
allow_ftpd_anon_write off
allow_ftpd_use_cifs off
allow_ftpd_use_nfs off
allow_gssd_read_tmp on
allow_httpd_anon_write off
allow_httpd_mod_auth_pam off
allow_httpd_sys_script_anon_write off
allow_java_execstack off
allow_kerberos on
allow_mount_anyfile off
allow_nfsd_anon_write off
allow_rsync_anon_write off
allow_saslauthd_read_shadow off
allow_smbd_anon_write off
allow_ypbind off
allow_zebra_write_config on
amanda_disable_trans off
amavis_disable_trans off
apmd_disable_trans off
arpwatch_disable_trans off
auditd_disable_trans off
automount_disable_trans off
avahi_disable_trans off
bluetooth_disable_trans off
canna_disable_trans off
cardmgr_disable_trans off
clamd_disable_trans off
clamscan_disable_trans off
clvmd_disable_trans off
comsat_disable_trans off
crond_disable_trans off
cupsd_config_disable_trans off
cupsd_disable_trans off
cupsd_lpd_disable_trans off
cvs_disable_trans off
cyrus_disable_trans off
dbskkd_disable_trans off
dccd_disable_trans off
dccifd_disable_trans off
dccm_disable_trans off
dhcpc_disable_trans off
dhcpd_disable_trans off
dovecot_disable_trans off
fcron_crond off
fetchmail_disable_trans off
fingerd_disable_trans off
freshclam_disable_trans off
ftp_home_dir off
ftpd_disable_trans off
ftpd_is_daemon on
global_ssp off
gpm_disable_trans off
gssd_disable_trans off
hald_disable_trans off
hotplug_disable_trans off
howl_disable_trans off
hplip_disable_trans off
httpd_builtin_scripting on
httpd_can_network_connect off
httpd_can_network_connect_db off
httpd_can_network_relay off
httpd_disable_trans off
httpd_enable_cgi on
httpd_enable_ftp_server off
httpd_enable_homedirs on
httpd_rotatelogs_disable_trans off
httpd_ssi_exec off
httpd_suexec_disable_trans off
httpd_tty_comm off
httpd_unified on
inetd_child_disable_trans off
inetd_disable_trans off
innd_disable_trans off
irqbalance_disable_trans off
kadmind_disable_trans off
klogd_disable_trans off
krb5kdc_disable_trans off
ktalkd_disable_trans off
lpd_disable_trans off
mailman_mail_disable_trans off
mysqld_disable_trans off
nagios_disable_trans off
named_disable_trans off
named_write_master_zones off
nfs_export_all_ro on
nfs_export_all_rw on
nfsd_disable_trans off
nmbd_disable_trans off
nrpe_disable_trans off
nscd_disable_trans off
ntpd_disable_trans off
openvpn_disable_trans off
pegasus_disable_trans off
portmap_disable_trans off
postfix_disable_trans off
postgresql_disable_trans off
pppd_can_insmod off
pppd_disable_trans off
pptp_disable_trans off
privoxy_disable_trans off
ptal_disable_trans off
pyzord_disable_trans off
radiusd_disable_trans off
radvd_disable_trans off
rdisc_disable_trans off
read_default_t on
readahead_disable_trans off
restorecond_disable_trans off
rlogind_disable_trans off
rpcd_disable_trans off
rshd_disable_trans off
rsync_disable_trans off
samba_enable_home_dirs off
samba_share_nfs off
saslauthd_disable_trans off
secure_mode_insmod off
secure_mode_policyload off
setrans_disable_trans off
setroubleshootd_disable_trans off
slapd_disable_trans off
smbd_disable_trans off
snmpd_disable_trans off
spamd_disable_trans off
spamd_enable_home_dirs on
squid_connect_any off
squid_disable_trans off
stunnel_disable_trans off
stunnel_is_daemon off
swat_disable_trans off
syslogd_disable_trans off
system_crond_disable_trans off
tcpd_disable_trans off
telnetd_disable_trans off
tftpd_disable_trans off
udev_disable_trans off
use_nfs_home_dirs off
use_samba_home_dirs off
uucpd_disable_trans off
winbind_disable_trans off
xdm_disable_trans off
xend_disable_trans off
xfs_disable_trans off
xm_disable_trans off
ypbind_disable_trans off
yppasswdd_disable_trans off
ypserv_disable_trans off
ypxfr_disable_trans off
zebra_disable_trans off
Also , I run "audit2allow -d -l " command to get repair information below:
#cat selog.te
allow hotplug_t self:capability { setgid setuid };
allow hotplug_t self:process setpgid;
allow hotplug_t self:tcp_socket connect;
allow hotplug_t kernel_t:system syslog_read;
allow hotplug_t kernel_t:unix_stream_socket { getattr ioctl read write };
allow hotplug_t nfs_t:dir { getattr read search };
allow hotplug_t nfs_t:file { execute execute_no_trans getattr read };
allow hotplug_t nfs_t:lnk_file read;
allow hotplug_t ssh_port_t:tcp_socket name_connect;
allow hotplug_t sysctl_hotplug_t:file { getattr read write };
allow hotplug_t sysctl_modprobe_t:file getattr;
allow hotplug_t tmp_t:dir { add_name create getattr read remove_name
rmdir search setattr write };
allow hotplug_t tmp_t:file { append create execute execute_no_trans
getattr ioctl read setattr unlink write };
allow hotplug_t tmpfs_t:dir { add_name write };
allow hotplug_t tmpfs_t:file { append create entrypoint execute
execute_no_trans getattr ioctl read setattr write };
allow hotplug_t tmpfs_t:lnk_file { getattr read };
allow hotplug_t tty_device_t:chr_file { getattr ioctl };
All workaround focus on hotplug_t. By the way, I create a tmpfs file
system and chroot into it as root file system.
[EMAIL PROTECTED] tmp]# mount
VNFS(RedHatEL-Client5-GA-i386) on / type tmpfs (rw)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
172.20.3.26:/home on /home type nfs (rw,nfsvers=2,addr=172.20.3.26)
I want to know whether it is a defect in RHEL5 beta selinux target policy.
Thanks, Xiangjun
_______________________________________________
rhelv5-beta-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-beta-list
