gentoo-hardened November 2010 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: Re: [gentoo-hardened] SELinux (strict policy) a

Re: [gentoo-hardened] SELinux (strict policy) and ssh

From: Chris Richards <gizmo_at_nospam>
Date: Mon Nov 15 2010 - 00:26:02 GMT
To: gentoo-hardened@lists.gentoo.org

On 11/14/2010 06:40 AM, luc nac wrote:
> Is it right that I can still login (or switch to the sysadm_r role)
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set
> "off"?
Sven's reply is correct. ssh_sysadm_login doesn't PREVENT ssh users
from changing to the sysadm_r role once they have logged in; it simply
prevents them from logging directly in as sysadm_r. Essentially, it
enforces the requirement to 'newrole -r' before you can access the
sysadm role.

A little bit more about this can be found here:
http://www.nsa.gov/research/selinux/list-archive/0612/thread_body32.shtml

> What tests can I do to confirm that SELinux is correctly working?
>
Not sure what you're after here?

'sestatus' will give you some information regarding what mode
(permissive, enforcing), what policy (strict, targeted), etc. you are
using, and whether the system is running. 'ls -Z' will give you context
information on a particular file, and you can use 'matchpathcon' to see
what the context of a file should be. 'chcon' will allow you to force
an arbitrary file to an arbitrary context (even one it's not supposed to
have), while 'restorecon', 'setfiles', and 'rlpkg' can all be used to
restore file contexts to their defaults (the different commands have
different options and different effects). 'semodule -l' can be used to
see what modules (other than the base capabilities provided by
selinux-base-policy) are loaded.

HTH

Later,
Gizmo