AppArmor is still available and supported.
Thank you. I will try to switch over to it, hopefully this is in the wiki somewhere, all I can see so far is how to switch to SE Linux from AppArmor, not the reverse.
Cheers! 
After having slept on it, I think this was wrong as well.
The default SELinux policy allows init_t to execute any binary with bin_t type (most programs in various .../bin directories) in the unconfined_service_t domain:
andrei@tumbleweed:~> sesearch -T -s init_t -t bin_t -c process
type_transition init_t bin_t:process unconfined_service_t;
andrei@tumbleweed:~>
which is exactly what I suggested earlier to work around your problem. The unconfined_service_t domain is allowed almost everything, including invoking /usr/bin/ssh. Prohibiting direct invocation of /usr/bin/ssh by init_t does not increase any security at all because any service not explicitly confined can do it anyway. The most likely reason is that SELinux developers never thought about the use case for executing ssh as the service process.
@Richard_MQ You may consider bug report requesting this addition. It would be interesting what SELinux maintainers/developers say. In any case, it sounds like regression (as it worked in earlier releases).
P.S. This is the excellent example of the problems in SELinux design. In SELinux everything is prohibited by default, you must list everything that any process is allowed to do. To confine a process you must create a separate type - but as soon as you do it, you now must also define all possible interactions processes of this type may have with all possible objects managed by SELinux (other processes, files, sockets etc etc etc). This not only means never ending whack-a-mole game - it means SELinux policy will grow over time without bounds.
Compare it with AppArmor which only enforces restrictions for the explicitly defined processes and does affect everything else. While the default SELinux policy is (sort of ironically) called “targeted” and is supposed to behave exactly like AppArmor - in SELinux you still must provide policy definitions for everything that is not target of this policy. In particular, the unconfined domains must be allowed to access every other existing type. Add one more type, forget rules for unconfined domains - and they are no more unconfined.
The wiki instructions to switch back to AppArmor worked perfectly thanks, so my original issue seems to be resolved.
I’d be happy to file a bug report on SELinux / SSH but I am not sure I understand the issue adequately to do so.
Thanks anyway for the assistance - it was greatly appreciated.
1 Like