LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux Enabled, SSHD Daemon Fails (https://www.linuxquestions.org/questions/linux-security-4/selinux-enabled-sshd-daemon-fails-4175589956/)

c0wb0y 10-06-2016 04:33 PM

Quote:

Originally Posted by pyrovortex (Post 5614166)
I understand your concern unspawn but I can assure you that I am up to date ( software wise ) with all the security vulnerabilities that have been in the open till today.

Thanks

Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

jpollard 10-06-2016 07:19 PM

Quote:

Originally Posted by c0wb0y (Post 5614845)
Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

jpollard 10-06-2016 07:33 PM

Quote:

Originally Posted by c0wb0y (Post 5614845)
Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.

pyrovortex 10-07-2016 10:30 AM

Quote:

Originally Posted by jpollard (Post 5614188)
Where did you get libcrypto.so.1.0.0?

That doesn't appear to be a version used by Fedora 16. On my system it is libcrypto.so.1.0.0j

The package install for sshd for Fedora 16 would include the package for libcrypto that has the appropriate security label.

What you have installed is either not properly labeled, or is the wrong package.

If you manually installed the library, you have to properly label it or it will not be used. I would almost bet the label type is either unknown, or not "lib_t". On my system (an archived Fedora 16) the full label is system_u:object_r:lib_t:s0

Hi,

libcrypto.so.1.0.0 on my box was from OpenSSL and the context on the file is same as yours "system_u:object_r:lib_t:s0".
But is it possible that Selinux recognizes a manually installed file and gives it a context ? I am under the impression that based on the directory, the underlying files get their contexts.


Thanks

pyrovortex 10-07-2016 10:39 AM

Quote:

Originally Posted by jpollard (Post 5614893)
One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.


Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks

jpollard 10-07-2016 08:30 PM

Quote:

Originally Posted by pyrovortex (Post 5615084)
Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks

You did fine. It was my error.

pyrovortex 12-29-2016 09:38 AM

Hi All,

Thanks for chipping in.

Closing the thread.

Thanks!


All times are GMT -5. The time now is 04:14 AM.