[ubuntu-hardened] allow ssh using selinux in permissive mode

Tyler Hicks tyhicks at canonical.com
Wed Dec 19 23:10:33 UTC 2012

On 2012-12-19 15:29:33, Stephen Carpenter, KSC wrote:
> On Wed, Dec 19, 2012 at 05:22:10PM +0530, sruthi mohan wrote:
> > Hi,
> > I have installed SELinux on ubuntu 11.10,Selinux is in permissive mode.
> > I am unable to connect remotely through ssh.
> > i have done semodule -DB  I did not find any ssh related messages on
> > audit.log.
> Permissive mode logs rather than blocks, so I am skeptical that its the
> cause. If SELinux was the issue, I would expect it to log errors but work
> anyway. If nothing is logged, then SELinux likely blocked nothing. 

There are some *errors* that will block, rather than just log, even in
permissive mode. But there should still be audit messages that indicate
such errors.

It has been a long time since I've ran into a similar problem myself, so
I'm *really* fuzzy on the details now. I think it was caused when I
was playing with roles and/or default security contexts at login and I
made some configuration mistakes. From some other emails sent to
ubuntu-hardened, it sounds like Sruthi may have been making some changes
in these areas, too.

I think this problem is similar to what I saw in the past, but I don't
know how much it applies to Sruthi's problem:



> Check the auth.log - that is where you will typically find ssh messages.
> Then I would look into using "ssh -vvv" when connecting, look for where
> it is failing. If that wasn't terribly telling, I would start
> looking to turn on sshd debugging, capture packets with tcpdump, and
> turn on pam debuggging, roughly in that order. 
> If you REALLY think it is still selinux, try rebooting with it completly
> disabled on boot. It is more likely you are seeing an account or auth issue.
> Could be anything from a bad shell or file/firectory permissions, to a bad
> pam config, or even too many keys in your ssh agent (not sure if this changes with versions but I have seen each one count as an auth attempt... causing it to fail before getting to password auth) 
> Good luck, ssh/auth issues can be finicky.... even with selinux disabled.
> -Steve
> -- 
> "I may grow rich by an art I am compelled to follow; I may recover
>  health by medicines I am compelled to take against my own judgment;
>  but I cannot be saved by a worship I disbelieve and abhor."
>                -- Thomas Jefferson
> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20121219/3930bd03/attachment.pgp>

More information about the ubuntu-hardened mailing list