Package: selinux-policy-default
Version: 2:2.20110726-3
Severity: important
When protecting sshd with this policy, the transition that occurs when running
the user's shell is always denied, which prevents users from logging in:
type=AVC msg=audit(1349808486.496:121): avc: denied { transition } for
pid=3120 comm="sshd" path="/bin/bash" dev=dm-0 ino=554
scontext=system_u:system_r:sshd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
The reason is that the daemon has no MCS categories assigned to it, so the mcs
policy constraints prevent the addition of categories.
As best as I can tell, sshd is not supposed to have any categories, and the user
is supposed to have categories, so this behavior should be allowed. (Did I miss
something here?)
Assuming this behavior should be allowed, editing
policy/modules/system/authlogin.if and adding mcs_process_set_categories($1)
in the auth_login_pgm_domain interface fixes this problem.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
