| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5029.1280902716@localhost>
Date: Wed, 04 Aug 2010 02:18:36 -0400
From: Valdis.Kletnieks@...edu
To: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc: hch@...radead.org, jmorris@...ei.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, viro@....linux.org.uk,
kees.cook@...onical.com
Subject: Re: Preview of changes to the Security susbystem for 2.6.36
On Wed, 04 Aug 2010 12:54:32 +0900, Tetsuo Handa said:
> # killall -KILL sshd
> # /usr/sbin/sshd -o 'Banner /etc/shadow'
> # ssh localhost
I am unable to replicate this behavior on my system with SELinux set to
enforcing mode. However, it does happen (which is to be expected) when SELinux
is set to permissive mode.
% rpm -q openssh selinux-policy-mls
openssh-5.5p1-18.fc14.x86_64
selinux-policy-mls-3.8.8-8.fc14.noarch
Tested by by trying both /etc/issue and /etc/shadow as banner files - in permissive
mode, both files would be displayed. In enforcing mode, /etc/issue would show
up and /etc/shadow would not. In addition, checking of the actual policy
source for ssh shows no entry for auth_read_shadow() for sshd_t, although it is
present for many other systemd daemons that have a need to read it. So in
enforcing mode, there's no rule allowing sshd to open /etc/shadow, so it won't
open.
Are you sure you weren't running in permissive mode when you tested this?
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists