On Thu, February 4, 2010 12:00, Ned Slider wrote: > > > I was under the impression that sshd runs unconfined in the current > CentOS? > > $ ps axZ | grep sshd > system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00 > /usr/sbin/sshd > > For example, you don't need to change the ssh_port in SELinux when > running the sshd on an alternative port, I assume because sshd is > running unconfined. > > Also, it makes little sense to me to run sshd in a confined domain > as an ssh login will give the user a login (bash) shell, which also > runs unconfined: > > $ ps axZ | grep bash > user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash > user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash > > Or maybe I totally misunderstand? > > Interesting. The OpenSSH-5.3p1 sshd that I built without selinux enabled runs in this domain: # ps axZ | grep sshd user_u:system_r:initrc_t 1981 ? Ss 0:00 /opt/sbin/sshd Whereas the CentOS-5.4 OpenSSH sshd runs like this: # ps axZ | grep ssh system_u:system_r:unconfined_t:SystemLow-SystemHigh 2681 ? Ss 0:00 /usr/sbin/sshd -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3