1.a. Begin Here
You must be in sysadm_r to perform these actions.
Run sestatus -v. Click the first context that doesn't match:
| Process | Context |
| Init context | system_u:system_r:init_t |
| /usr/sbin/sshd | system_u:system_r:sshd_t |
| File | Context |
| /sbin/unix_chkpwd | system_u:object_r:chkpwd_exec_t |
| /etc/passwd | system_u:object_r:etc_t |
| /etc/shadow | system_u:object_r:shadow_t |
| /bin/bash | system_u:object_r:shell_exec_t |
1.b. Incorrect Init Context
Verify Init Label
There are several possible reasons why init may have the wrong context. First, verify that init is labeled correctly, refer to the sestatus's output for /sbin/init. If it is not system_u:object_r:init_exec_t, relabel sysvinit.
Code Listing 1: |
# rlpkg sysvinit
|
Verify Available Policy (2006.1+)
You must be in sysadm_r to perform this action.
A binary policy must be available in /etc/selinux/{strict,targeted}/policy. If it is missing, then install the policy.
Code Listing 2: Install policy |
# semodule -n -B
|
Verify Available Policy (pre 2006.1)
An appropriate binary policy version must also be available in /etc/security/selinux. For example, for policy version 17, /etc/security/selinux/policy.17 must exist. If it is missing, first adjust the policy (Makefile). Then compile and install the policy.
Code Listing 3: Install policy |
# cd /etc/security/selinux/src/policy # make clean # make install |
Verify Init Can Load the Policy
The final check is to ensure init can load the policy. Run ldd on init, and if libselinux is not in the output, remerge sysvinit.
Code Listing 4: |
# ldd /sbin/init linux-gate.so.1 => (0xffffe000) libselinux.so.1 => /lib/libselinux.so.1 (0x40025000) libc.so.6 => /lib/libc.so.6 (0x40035000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
Now reboot so init gains the correct context, and loads the policy.
1.c. Incorrect sshd Context
Another possibility is sshd is not labeled correctly, meaning it is not running in the right context. Relabel openssh, then restart sshd.
Code Listing 5: |
# rlpkg openssh # /etc/init.d/sshd restart |
1.d. Incorrect PAM Context
Sshd must be able to use PAM for authenticating the user. The PAM password checking program (/sbin/unix_chkpwd) must be labeled correctly so sshd can transition to the password checking context. Relabel PAM.
Code Listing 6: |
# rlpkg pam
|
The password checking program should now be system_u:object_r:chkpwd_exec_t. Try loggin in again.
1.e. Incorrect Password File Contexts
The password file (/etc/passwd), and the shadow file (/etc/shadow) must be labeled correctly, otherwise PAM will not be able to authenticate your user. Relabel the files.
Code Listing 7: |
# restorecon /etc/passwd /etc/shadow
|
The password and shadow files should now be system_u:object_r:etc_t and system_u:object_r:shadow_t, respectively. Try logging in again.
1.f. Incorrect Bash File Context
Bash must be labeled correctly so the user can transition into the user domain when logging in. Relabel bash.
Code Listing 8: |
# rlpkg bash
|
Bash (/bin/bash) should now be system_u:object_r:shell_exec_t. Try logging in again.
1.g. Other sshd Issues
Valid Shell
First, make sure the user has a valid shell.
Code Listing 9: |
# grep username /etc/passwd | cut -d: -f7 /bin/bash (or your shell of choice) |
If the above command does not return anything, or the shell is wrong, set the user's shell.
Code Listing 10: |
# usermod -s /bin/bash username |
PAM enabled
PAM also must be enabled in sshd. Make sure this line in /etc/ssh/sshd_config is uncommented:
Code Listing 11: |
UsePAM yes |
SELinux currently only allows PAM and a select few programs direct access to /etc/shadow; therefore, openssh must now use PAM for password authentication (public key still works).