error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Matthias Imsand imsand at puzzle.ch
Fri Oct 1 13:20:11 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Content-Type:
text/plain; charset=ISO-8859-1

On 10/01/2010 03:52 AM, Matthias Imsand wrote:
> >
> > On 09/30/2010 08:24 PM, Daniel J Walsh wrote:
>> >> On 09/30/2010 10:18 AM, imsand at puzzle.ch wrote:
>>> >>> another interesting thing is the following:
>>> >>> (seen with the debug option in pam_selinux)
> >
>>> >>> assuming that the linux user is mat and the corresponding
selinux user is
>>> >>> mat_u. during ssh login this happens:
> >
>>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session):
Open Session
>>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session):
Open Session
>>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session):
Username=
>>> >>> mat SELinux User = mat_u Level= (null)
>>> >>> Sep 30 16:09:49 testsrv  sshd[4328]: pam_selinux(sshd:session):
set mat
>>> >>> security context to mat_u:staff_r:staff_t
>>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session):
set mat key
>>> >>> creation context to mat_u:staff_r:staff_t
> >
>>> >>> As we can see, the user mapping works as desired and the new choosen
>>> >>> context should be all right => mat_u:staff_r:staff_t.
> >
>>> >>> But then, when I do an id -Z after successful login, the shell's
context
>>> >>> is context=user_u:user_r:user_t.
> >
>>> >>> Very strange....
> >
>>> >>> --
>>> >>> selinux mailing list
>>> >>> selinux at lists.fedoraproject.org
>>> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>> >> You got me.  If you create the mat_u user and login does the
pam_selinux
>> >> session look different?
> >
>> >> Why don't you ask on the upstream selinux list.  More sles
experience is
>> >> probably there that is not monitoring this list.
>> >>  <selinux at tycho.nsa.gov>
> >
> > no, with mat_u it looks similar.
> > Username= mat_u SELinux User = mat_u Level= (null)
> >
> > Do you know which library / process is responsible for actually changing
> > the context to mat_u:staff_r:staff_t? Or should it be done directly by
> > the pam_selinux.so?
> >
> > Yes, tank you for the recommendation. I will ask on that list as well..
>
> These functions are all called in pam_selinux including >
getseuserbyname(const char *linuxuser, char **seuser, char **level);
> And setexeccon. One thing of not is the default user is user_u which
seems to be what you are seeing.

So, there must be a bug in pam_selinux, isn't it?
What do you recommend doing next?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iF4EAREIAAYFAkyl4AsACgkQHzQsIA2xsfI0dQD8CDKQz5HRA3H9QDGC3PklcAhL
LGHP7BoEkCWzL6GAffQA/0OY9nPe/REsfaod1DJuXa13FL2pNwLR9JEoeyiX4eBg
=czpZ
-----END PGP SIGNATURE-----

More information about the selinux mailing list