-
Notifications
You must be signed in to change notification settings - Fork 460
-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LOGIN service not working on CentOS 7 (SELinux) #342
Comments
@KLuka It appears that in the default SELinux setting on CentOS 7, a process with a SELinux setting of unconfined_service_t should not be restricted by SELinux in any way. |
@KLuka I can confirm this bug, with a fresh install of CentOS 7.
Also, it works fine after running |
@KLuka I'd be willing to work on writing a SELinux policy, except I don't have a clue where to start. This is my first run-in with SELinux. What are your thoughts? |
I guess that in not the case with shellinabox 😄
I also don't have a clue what to do here. I searched about this stuff all over the internet, but I didn't get any useful results... Maybe it would be useful to examine polices of other programs that use I also asked Fedora package maintainer @scaronni for some help. Anyway I welcome any information regarding this issue here... |
I will write down the policy for a subsequent update to 2.18. I need to fix a few things on other packages before looking into this one. |
OK, there is no rush. For now I managed to get LOGIN service to work as expected without disabling SELinux. I guess that this is a temporary workaround. I found some useful resources in article about nginx with SELinux. First I created SELinux policy from errors in
After that you need to load created policy:
At this point LOGIN service should start working as expected... PS: I don't know, if this is a correct workaround and how it affects overall system security. Or even if/how it can be included in RPM? I am adding policy in text format, if anyone has any clue on how to use this for more general fix/workaround.
|
@KLuka From what I've read about SELinux, I would say that is not a correct solution. That just says allow any unspecified program to run Looking at your workaround, though, is helpful to me understanding how to create new policies. I might work on it yet. |
@BenjiWiebe you are probably correct. I just posted this so we can continue with the search for proper fix 😉 I don't know what exactly is Here are log messages on what happens without a workaround:
And here with workaround:
|
shellinabox.tar.gz Anyway, if it can help you in something, here is an archive with source selinux policy. |
There are now, only 2 AVC left. Allow rules are already set in policy module but that drops Constraint rule exceptions... I don't know how to do to get rid of those errors... Shellinabox works with that policy but it is annoying since transition with unconfined context can be a security hole.
|
Hi @claneys, thanks for posting this. If I understand things correctly script |
Ok, here the selinux policy POC :) |
#342 Adding selinux policy. TODO: Unconfined context misuse needed to fix
Disabling SELinux is not the suggested way. However, the fix to the problem you can run below mentioned commands:
Refer to my blog for same: |
@BenjiWiebe I'm not an expert in SELinux but I think that if you change the SELinux User for shellinaboxd binary to system_u which is meant to system's service then it should be enough. chcon -u system_u /usr/sbin/shellinaboxd Could you test on your platform ? |
This comment resolved my issue. |
On CentOS 7 shellinabox cannot properly execute
/bin/login
and we getlogin -- <user>: no shell: Permission denied
error message displayed in browser...This is probably related to SELinux policy. Here is the diff of SELinux config for
shellinaboxd
process:system_u:system_r:initrc_t:s0
system_u:system_r:unconfined_service_t:s0
Additional info in #334, #327...
The text was updated successfully, but these errors were encountered: