Discussion:
shellinabox
lejeczek
2018-06-11 17:25:08 UTC
Permalink
hi guys,

cannot get it to work - shellinabox - not being programmer nor selinux
sorcerer.

shellinabox via apache, when I ausearch it all I get is:

#============= unconfined_service_t ==============

#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;

I have shellinabox in Apache's:

<Location /cmd>
AuthType Basic
AuthName "some more"
AuthBasicProvider PAM
AuthPAMService rstudio
Require valid-user
#Require all granted
ProxyPass http://localhost:4200/
</Location>

using:

LoadModule authnz_pam_module modules/mod_authnz_pam.so

So all seems to work there between apache & shellinabox. Last bit when
you login to shell you get denied.

Would there be a reasonable selinux module for it or is shellinabox just
too poor design?

many thanks, L.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/CGKHLBOQNJ7HNVGVQG3FKOP7H
Paul Howarth
2018-06-12 08:02:17 UTC
Permalink
On Mon, 11 Jun 2018 18:25:08 +0100
Post by lejeczek
hi guys,
cannot get it to work - shellinabox - not being programmer nor
selinux sorcerer.
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;
<Location /cmd>
AuthType Basic
AuthName "some more"
AuthBasicProvider PAM
AuthPAMService rstudio
Require valid-user
#Require all granted
ProxyPass http://localhost:4200/
</Location>
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit
when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox
just too poor design?
Strange. shellinabox is working for me on Fedora 27.

What's the context of /usr/bin/bash on your system?

$ ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash

If it's not shell_exec_t, the advice given in the error message you saw
should fix it.

Paul.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/7TX33FBCNN27OZT4D4NHS6PXS
Jean-David Beyer
2018-06-12 11:02:38 UTC
Permalink
Post by Paul Howarth
ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash
I do not have a problem, but just for laughs, I tried the above.
Red Hat Enterprise Linux Server release 6.9 (Santiago)
$ uname -r
2.6.32-696.30.1.el6.x86_64

$ ls -lZ /usr/bin/bash
ls: cannot access /usr/bin/bash: No such file or directory
$ whereis bash
bash: /bin/bash /usr/share/man/man1/bash.1.gz
$ ls -lZ /bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
$ ls -l /bin/bash
-rwxr-xr-x. 1 root root 942200 Feb 15 2017 /bin/bash


--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521.
/( )\ Shrewsbury, New Jersey http://linuxcounter.net
^^-^^ 06:50:01 up 21 days, 11:33, 2 users, load average: 4.47, 4.71, 4.49
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproje
lejeczek
2018-07-10 13:08:46 UTC
Permalink
Anybody on Centos 7.5?

Is it really healthy to:

allow unconfined_service_t unconfined_t:process transition;

?
Post by Jean-David Beyer
Post by Paul Howarth
ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash
I do not have a problem, but just for laughs, I tried the above.
Red Hat Enterprise Linux Server release 6.9 (Santiago)
$ uname -r
2.6.32-696.30.1.el6.x86_64
$ ls -lZ /usr/bin/bash
ls: cannot access /usr/bin/bash: No such file or directory
$ whereis bash
bash: /bin/bash /usr/share/man/man1/bash.1.gz
$ ls -lZ /bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
$ ls -l /bin/bash
-rwxr-xr-x. 1 root root 942200 Feb 15 2017 /bin/bash
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedorapr
lejeczek
2018-06-12 17:06:53 UTC
Permalink
Post by Paul Howarth
On Mon, 11 Jun 2018 18:25:08 +0100
Post by lejeczek
hi guys,
cannot get it to work - shellinabox - not being programmer nor
selinux sorcerer.
#============= unconfined_service_t ==============
#!!!! The file '/usr/bin/bash' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/bin/bash
allow unconfined_service_t unconfined_t:process transition;
<Location /cmd>
AuthType Basic
AuthName "some more"
AuthBasicProvider PAM
AuthPAMService rstudio
Require valid-user
#Require all granted
ProxyPass http://localhost:4200/
</Location>
LoadModule authnz_pam_module modules/mod_authnz_pam.so
So all seems to work there between apache & shellinabox. Last bit
when you login to shell you get denied.
Would there be a reasonable selinux module for it or is shellinabox
just too poor design?
Strange. shellinabox is working for me on Fedora 27.
What's the context of /usr/bin/bash on your system?
$ ls -lZ /usr/bin/bash
-rwxr-xr-x. 1 root root system_u:object_r:shell_exec_t:s0 1132656 Feb
13 14:08 /usr/bin/bash
If it's not shell_exec_t, the advice given in the error message you saw
should fix it.
Paul.
_______________________________________________
I should have maybe mentioned that I'm on Centos 7.5

$ ll -Z /usr/bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash
$ ll -Z /usr/sbin/shellinaboxd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0
/usr/sbin/shellinaboxd
☩ WHALE 49 ~]$ ll -Z /usr/bin/bash

I think problems is here, it's how systemd does the service:
$ ps -FZp 2909167 --cols 999
LABEL UID PID PPID C SZ RSS
PSR STIME TTY TIME CMD
system_u:system_r:unconfined_service_t:s0 shellin+ 2909167 1 0 10785
2740 7 Jun11 ? 00:00:00 /usr/sbin/shellinaboxd -u shellinabox -g
shellinabox --cert=/var/lib/shellinabox --port=4200 --localhost-only
--disable-ssl


_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/m
Loading...