Re: [gentoo-hardened] SELinux (strict policy) and ssh

[Chris Richards <gizmo@giz-works.com>]

On 11/14/2010 06:40 AM, luc nac wrote:
> Is it right that I can still login (or switch to the sysadm_r role)
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set
> "off"?
Sven's reply is correct.  ssh_sysadm_login doesn't PREVENT ssh users 
from changing to the sysadm_r role once they have logged in; it simply 
prevents them from logging directly in as sysadm_r.  Essentially, it 
enforces the requirement to 'newrole -r' before you can access the 
sysadm role.

A little bit more about this can be found here: 
http://www.nsa.gov/research/selinux/list-archive/0612/thread_body32.shtml

> What tests can I do to confirm that SELinux is correctly working?
>
Not sure what you're after here?

'sestatus' will give you some information regarding what mode 
(permissive, enforcing), what policy (strict, targeted), etc. you are 
using, and whether the system is running.  'ls -Z' will give you context 
information on a particular file, and you can use 'matchpathcon' to see 
what the context of a file should be.  'chcon' will allow you to force 
an arbitrary file to an arbitrary context (even one it's not supposed to 
have), while 'restorecon', 'setfiles', and 'rlpkg' can all be used to 
restore file contexts to their defaults (the different commands have 
different options and different effects). 'semodule -l' can be used to 
see what modules (other than the base capabilities provided by 
selinux-base-policy) are loaded.

HTH

Later,
Gizmo