On Thu, February 4, 2010 12:00, Ned Slider wrote:
I was under the impression that sshd runs unconfined in the current CentOS?
$ ps axZ | grep sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00 /usr/sbin/sshd
For example, you don't need to change the ssh_port in SELinux when running the sshd on an alternative port, I assume because sshd is running unconfined.
Also, it makes little sense to me to run sshd in a confined domain as an ssh login will give the user a login (bash) shell, which also runs unconfined:
$ ps axZ | grep bash user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash
Or maybe I totally misunderstand?
Interesting. The OpenSSH-5.3p1 sshd that I built without selinux enabled runs in this domain:
# ps axZ | grep sshd user_u:system_r:initrc_t 1981 ? Ss 0:00 /opt/sbin/sshd
Whereas the CentOS-5.4 OpenSSH sshd runs like this: # ps axZ | grep ssh system_u:system_r:unconfined_t:SystemLow-SystemHigh 2681 ? Ss 0:00 /usr/sbin/sshd