[SOLVED] SELinux Enabled, SSHD Daemon Fails

c0wb0y · 10-06-2016, 04:33 PM

Quote:

Originally Posted by pyrovortex

I understand your concern unspawn but I can assure you that I am up to date ( software wise ) with all the security vulnerabilities that have been in the open till today.

Thanks

Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

jpollard · 10-06-2016, 07:19 PM

Quote:

Originally Posted by c0wb0y

Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

jpollard · 10-06-2016, 07:33 PM

Quote:

Originally Posted by c0wb0y

Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?

One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.

pyrovortex · 10-07-2016, 10:30 AM

Quote:

Originally Posted by jpollard

Where did you get libcrypto.so.1.0.0?

That doesn't appear to be a version used by Fedora 16. On my system it is libcrypto.so.1.0.0j

The package install for sshd for Fedora 16 would include the package for libcrypto that has the appropriate security label.

What you have installed is either not properly labeled, or is the wrong package.

If you manually installed the library, you have to properly label it or it will not be used. I would almost bet the label type is either unknown, or not "lib_t". On my system (an archived Fedora 16) the full label is system_u:object_r:lib_t:s0

Hi,

libcrypto.so.1.0.0 on my box was from OpenSSL and the context on the file is same as yours "system_u:object_r:lib_t:s0".
But is it possible that Selinux recognizes a manually installed file and gives it a context ? I am under the impression that based on the directory, the underlying files get their contexts.

Thanks

pyrovortex · 10-07-2016, 10:39 AM

Quote:

Originally Posted by jpollard

One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.

Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks

jpollard · 10-07-2016, 08:30 PM

Quote:

Originally Posted by pyrovortex

Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks

You did fine. It was my error.

pyrovortex · 12-29-2016, 09:38 AM

Hi All,

Thanks for chipping in.

Closing the thread.

Thanks!