From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-3108-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1PHbvY-0000zI-4W
	for garchives@archives.gentoo.org; Sun, 14 Nov 2010 12:43:24 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9C9FFE05DB;
	Sun, 14 Nov 2010 12:40:53 +0000 (UTC)
Received: from mail-iw0-f181.google.com (mail-iw0-f181.google.com [209.85.214.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id 7C76EE05DB
	for <gentoo-hardened@lists.gentoo.org>; Sun, 14 Nov 2010 12:40:53 +0000 (UTC)
Received: by iwn3 with SMTP id 3so7111345iwn.40
        for <gentoo-hardened@lists.gentoo.org>; Sun, 14 Nov 2010 04:40:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:mime-version:received:reply-to:from
         :date:message-id:subject:to:content-type;
        bh=kzpcy12rJR9iHIf9UB0F+/Ro54hU246aAmR+TpBDdSM=;
        b=ZwHJcdNFEHcrLufw9dFvyr/GEBy1RDKfBTFDwsBtLtkemSgDmHEtQeWJDlBu//5OcP
         0D17QQVbCqelhdiJcYokppKWJOUCsLz6Ltsgc2tRMIz9tpBe2dUfPwIlxdZl53FzhEEd
         vtOH6rIk8lFDI0QKDEqRfKYLgFTbbs40/8lwI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:reply-to:from:date:message-id:subject:to:content-type;
        b=fzYA9kn6ixSKDyRO73yr3979SzQrvTQ1ojknvpYvfw8K1emXlLk6Pmmk8xj39BgUav
         Z3RaZTWF2F5QYN4VYyoMas0i8hEFpYp+y0alb/gssusUTtHbVDyT2BpnGO2L1SJpRk0W
         TFxTBy0GLGPemlwXqoVi9nj0/ly14zApRrwHk=
Received: by 10.42.211.71 with SMTP id gn7mr3375820icb.230.1289738452327; Sun,
 14 Nov 2010 04:40:52 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.42.164.66 with HTTP; Sun, 14 Nov 2010 04:40:12 -0800 (PST)
From: luc nac <lucnac@gmail.com>
Date: Sun, 14 Nov 2010 13:40:12 +0100
Message-ID: <AANLkTinQ8gaGqLECsc693JOCFhOWgRJGr0XDTCHj+TGU@mail.gmail.com>
Subject: [gentoo-hardened] SELinux (strict policy) and ssh
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
X-Archives-Salt: b3d99945-c1d3-4a8d-aec5-3b5c2ed7e50d
X-Archives-Hash: a556890c4a4e56356a986520e9128903

Hi everybody, I'm learning how to use SELinux and I'm experiencing
some difficulties. I write here hoping that someone can help me.

I just installed SELinux (strict policy) in a Gentoo-based
distribution (Linux kernel version 2.6.24) following the handbook's
instructions http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

Is it right that I can still login (or switch to the sysadm_r role)
via ssh to that machine even if the boolean "ssh_sysadm_login" is set
"off"?
What tests can I do to confirm that SELinux is correctly working?

lucnac@plgd:~$ ssh root@192.168.1.203
Password:
Last login: Sun Nov 14 13:54:26 2010 from unknown
Could not chdir to home directory /root: Permission denied
-bash: /root/.bash_profile: Permission denied
localhost / # id -Z
root:staff_r:staff_t
localhost / # newrole -r sysadm_r
Authenticating root.
Password:
localhost / # id -Z
root:sysadm_r:sysadm_t


This is the output of "sestatus -v":
localhost / # sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        strict

Process contexts:
Current context:                root:staff_r:staff_t
Init context:                   unknown (Permission denied)

File contexts:
Controlling term:               root:object_r:staff_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:initrc_exec_t
/sbin/runscript.sh              system_u:object_r:initrc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:shlib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t


...and this is the output of "getsebool -a" (everything is off):
localhost / # getsebool -a
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_polyinstantiation --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_ssh_keysign --> off
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_ypbind --> off
cron_can_relabel --> off
fcron_crond --> off
global_ssp --> off
mail_read_content --> off
mozilla_read_content --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
read_default_t --> off
read_untrusted_content --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
ssh_sysadm_login --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_ping --> off
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
write_untrusted_content --> off
xdm_sysadm_login --> off