Re: Preview of changes to the Security susbystem for 2.6.36

From: Valdis . Kletnieks
Date: Wed Aug 04 2010 - 02:19:58 EST

On Wed, 04 Aug 2010 12:54:32 +0900, Tetsuo Handa said:

> # killall -KILL sshd
> # /usr/sbin/sshd -o 'Banner /etc/shadow'
> # ssh localhost

I am unable to replicate this behavior on my system with SELinux set to
enforcing mode. However, it does happen (which is to be expected) when SELinux
is set to permissive mode.

% rpm -q openssh selinux-policy-mls

Tested by by trying both /etc/issue and /etc/shadow as banner files - in permissive
mode, both files would be displayed. In enforcing mode, /etc/issue would show
up and /etc/shadow would not. In addition, checking of the actual policy
source for ssh shows no entry for auth_read_shadow() for sshd_t, although it is
present for many other systemd daemons that have a need to read it. So in
enforcing mode, there's no rule allowing sshd to open /etc/shadow, so it won't

Are you sure you weren't running in permissive mode when you tested this?

Attachment: pgp00000.pgp
Description: PGP signature