Re: xinetd and selinux issues

freund@xxxxxxxxxxxxxxx wrote:
On Thu, 2006-06-29 at 17:13 -0400, Al Freundorfer wrote:
I set up xinetd to allow certian sites to connect to the server
thru /etc/xinetd.d/ssh.
It works perfectly when I set selinux to permissive, but doesn't work
when set
to enforcing even though I have the box checked in system-config-security
under selinux tab to allow ssh connection through inetd.

Can anyone help me with this?
Change back to permissive:

# setenforce 0

Make a note of the exact time.

Then try out a connection (which should work since you're in permissive
mode).

Then look in your /var/log/messages or /var/log/audit/audit.log (if you
have one) for messages containing "type=AVC" after the time you did the
"setenforce". Post back here any that you find.

Paul.

Thanks for your help. This is what I got.

(snip)

selinux set to enforcing:
remote terminal attemped login:
password:
Authentication successful.
Last login: Fri Jun 30 12:49:57 2006
/bin/bash: Permission denied
bash-2.03$

/var/log/messages:
Jun 30 12:57:28 local kernel: audit(1151686648.208:4): enforcing=1
old_enforcing=0 auid=4294967295
Jun 30 12:58:06 local kernel: audit(1151686686.350:5): avc: denied {
entrypoint } for pid=2627 comm="sshd" name="bash" dev=dm-0 ino=49053782
scontext=user_u:system_r:amanda_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

This is a bit weird. The failures all refer to the "amanda_t" domain, which is what the "amanda" backup program should run in. Nothing to do with ssh. So that suggests to me that there's a labelling problem.

However, before resorting to relabelling your system, try this:

# setsebool -P run_ssh_inetd 1

You'll need this anyway for ssh via inetd/xinetd but I suspect it may not fix the problem.

Paul.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Keeping OpenSSH connections alive
    ... I connect from B to A by means of ssh. ... is, on B I am running X windows, and I open xterms that create a shell ... suspend software available in www.suspend2.net. ... forked in A for each ssh connection from B stay alive for just a few ...
    (SSH)
  • Re: Windows SSH Client start as a service?
    ... >> Why would you want to run the client as a service? ... >> order to interact with the desktop (to type commands into the SSH window) ... he only wants to use it for port forwarding. ... it would make the SSH connection and start the first ...
    (comp.security.ssh)
  • Re: normal behavior for openssh time outs?
    ... > times out ssh connections when idle for longer than a certain time, ... > the terminal window which I ran the client in becomes unusable. ... > is if I connect with ssh, leave the ssh connection idle for long ... Newer versions of OpenSSH have a client-side keepalive ...
    (SSH)
  • Re: Windows SSH Client start as a service?
    ... > order to interact with the desktop (to type commands into the SSH window) ... window; he only wants to use it for port forwarding. ... it would make the SSH connection and start the first ...
    (comp.security.ssh)
  • Re: Strange SSH Problem
    ... >>That's what I would think, but, as I said, when I start a ssh connection ... >>is, a ssh connection started from a ssh conenction), then it works, it ... > The corporate firewall may use something like ESTABLISHED/RELATED ...
    (comp.os.linux.networking)