1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Begin Here</p>
<p>
You must be in <span class="code" dir="ltr">sysadm_r</span> to perform these actions.
</p>
<p>
Run <span class="code" dir="ltr">sestatus -v</span>. Click the first context that doesn't match:
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Process</b></td>
<td class="infohead"><b>Context</b></td>
</tr>
<tr>
<td class="tableinfo">Init context</td>
<td class="tableinfo"><a href="#doc_chap2">system_u:system_r:init_t</a></td>
</tr>
<tr>
<td class="tableinfo">/usr/sbin/sshd</td>
<td class="tableinfo"><a href="#doc_chap3">system_u:system_r:sshd_t</a></td>
</tr>
<tr>
<td class="infohead"><b>File</b></td>
<td class="infohead"><b>Context</b></td>
</tr>
<tr>
<td class="tableinfo">/sbin/unix_chkpwd</td>
<td class="tableinfo"><a href="#doc_chap4">system_u:object_r:chkpwd_exec_t</a></td>
</tr>
<tr>
<td class="tableinfo">/etc/passwd</td>
<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:etc_t</a></td>
</tr>
<tr>
<td class="tableinfo">/etc/shadow</td>
<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:shadow_t</a></td>
</tr>
<tr>
<td class="tableinfo">/bin/bash</td>
<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:shell_exec_t</a></td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Incorrect Init Context</p>
<p class="secthead"><a name="doc_chap1_sect1">Verify Init Label</a></p>
<p>
There are several possible reasons why init may have the wrong context.
First, verify that init is labeled correctly, refer to the sestatus's output
for /sbin/init. If it is not <span class="code" dir="ltr">system_u:object_r:init_exec_t</span>, relabel sysvinit.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg sysvinit</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Verify Available Policy</a></p>
<p>
You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action.
</p>
<p>
A binary policy must be available in
/etc/selinux/{strict,targeted}/policy. If it is missing, then install
the policy.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semodule -n -B</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Verify Init Can Load the Policy</a></p>
<p>
The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on
init, and if libselinux is not in the output, remerge sysvinit.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">ldd /sbin/init</span>
linux-gate.so.1 => (0xffffe000)
<span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span>
libc.so.6 => /lib/libc.so.6 (0x40035000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
</pre></td></tr>
</table>
<p>
Now reboot so init gains the correct context, and loads the policy.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Incorrect sshd Context</p>
<p>
Another possibility is sshd is not labeled correctly, meaning it is not running
in the right context. Relabel openssh, then restart sshd.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg openssh</span>
# <span class="code-input">/etc/init.d/sshd restart</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Incorrect PAM Context</p>
<p>
Sshd must be able to use PAM for authenticating the user. The PAM password
checking program (/sbin/unix_chkpwd) must be labeled correctly so
sshd can transition to the password checking context. Relabel PAM.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg pam</span>
</pre></td></tr>
</table>
<p>
The password checking program should now be <span class="code" dir="ltr">system_u:object_r:chkpwd_exec_t</span>.
Try loggin in again.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Incorrect Password File Contexts</p>
<p>
The password file (/etc/passwd), and the shadow file (/etc/shadow) must
be labeled correctly, otherwise PAM will not be able to
authenticate your user. Relabel the files.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">restorecon /etc/passwd /etc/shadow</span>
</pre></td></tr>
</table>
<p>
The password and shadow files should now be <span class="code" dir="ltr">system_u:object_r:etc_t</span>
and <span class="code" dir="ltr">system_u:object_r:shadow_t</span>, respectively. Try logging in again.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Incorrect Bash File Context</p>
<p>
Bash must be labeled correctly so the user can transition into the user
domain when logging in. Relabel bash.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rlpkg bash</span>
</pre></td></tr>
</table>
<p>
Bash (/bin/bash) should now be <span class="code" dir="ltr">system_u:object_r:shell_exec_t</span>.
Try logging in again.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Other sshd Issues</p>
<p class="secthead"><a name="doc_chap1_sect1">Valid Shell</a></p>
<p>
First, make sure the user has a valid shell.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">grep</span> <span class="code-comment">username</span> <span class="code-input">/etc/passwd | cut -d: -f7</span>
/bin/bash <span class="code-comment">(or your shell of choice)</span>
</pre></td></tr>
</table>
<p>
If the above command does not return anything, or the shell is wrong,
set the user's shell.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">usermod -s /bin/bash</span> <span class="code-comment">username</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">PAM enabled</a></p>
<p>
PAM also must be enabled in sshd. Make sure this line
in <span class="code" dir="ltr">/etc/ssh/sshd_config</span> is uncommented:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
UsePAM yes
</pre></td></tr>
</table>
<p>
SELinux currently only allows PAM and a select few programs direct access
to <span class="code" dir="ltr">/etc/shadow</span>; therefore, openssh must now
use PAM for password authentication (public key still works).
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb