Description of problem: The booleans to disallow the login of privileged domains do not work/ Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.6-6.fc11.noarch selinux-policy-3.6.6-6.fc11.noarch How reproducible: > sh-4.0# getsebool -a | grep sysadm > allow_sysadm_exec_content --> on > ssh_sysadm_login --> off > xdm_sysadm_login --> off > > [dgrift@notebook1 ~]$ ssh dgrift/sysadm_r@localhost > WARNING!!! You have accessed a private network. > UNAUTHORIZED ACCESS IS PROHIBITED BY LAW > Violators may be prosecuted to the full extend of the law. > Your access to this network may be monitored and recorded for quality > assurance, security, performance, and maintenance purposes. > dgrift/sysadm_r@localhost's password: > Last login: Fri Feb 27 13:35:33 2009 from localhost.localdomain > [dgrift@notebook1 ~]$ id -Z > dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh > [dgrift@notebook1 ~]$ Expected results: permission denied Additional info: unconfined_login --> off also lets one login unconfined via ssh using ssh dgrift/unconfined_r@localhost
Fixed in selinux-policy-3.6.8-1.fc11
unconfined_login works: [dgrift@desktop1 ~]$ ssh dgrift/unconfined_r@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is af:b1:ff:4f:81:98:be:9e:89:55:49:68:6d:fc:52:73. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. WARNING!!! You have accessed a private network. UNAUTHORIZED ACCESS IS PROHIBITED BY LAW Violators may be prosecuted to the full extend of the law. Your access to this network may be monitored and recorded for quality assurance, security, performance, and maintenance purposes. dgrift/unconfined_r@localhost's password: Last login: Sun Mar 8 11:41:53 2009 from ip120-92-211-87.adsl2.static.versatel.nl /bin/bash: Permission denied Connection to localhost closed. ssh_sysadm_login does NOT work: [dgrift@desktop1 ~]$ ssh dgrift/sysadm_r@localhost WARNING!!! You have accessed a private network. UNAUTHORIZED ACCESS IS PROHIBITED BY LAW Violators may be prosecuted to the full extend of the law. Your access to this network may be monitored and recorded for quality assurance, security, performance, and maintenance purposes. dgrift/sysadm_r@localhost's password: Last login: Sun Mar 8 12:36:28 2009 from localhost.localdomain [dgrift@desktop1 ~]$ id -Z dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh [dgrift@desktop1 ~]$ rpm -qa | grep targeted selinux-policy-targeted-3.6.8-1.fc11.noarch