error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

imsand at puzzle.ch imsand at puzzle.ch
Tue Sep 28 07:24:09 UTC 2010 

Hello

I get the following error when I try to log in through ssh (even if
selinux is in permissive mode!!!):

Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
audit(1285657292.298:286): avc:  denied  { audit_control } for  pid=12614
comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
tcontext=system_u:system_r:sysadm_t tclass=capability
Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for mat
Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for mat
Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: ssh_selinux_setup_pty:
security_compute_relabel: Invalid argument

I already went through this post:
http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
can't figure out the exact problem.

Here is what I've done so far:
- Downloaded the latest reference policy from tresys:
http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
- Compiled and installed it on my sles 11.1
- set selinux into permissive mode: (so far so good.. :))
sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        refpolicy
- Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user -a
mat_u
- Add linux user " mat": useradd mat
- Set password for "mat": passwd mat
- User mapping: semanage login -s mat_u -a mat
- add security context for "mat_u" by copying staff_u's context (don't
know if that's needed??!): cp /etc/selinux/refpolicy/contexts/user/staff_u
/etc/selinux/refpolicy/contexts/user/mat_u
- set boolean for sysadm ssh login to true (don't know if thats needed?!):
setsebool ssh_sysadm_login on

In other posts I've read something about sepermit.conf and namespace.conf
but these files don't exist on my system. What about these files? Do I
need them?
What's wrong on my system?
Why it's not possible to login even if selinux is in permissive mode?
Any suggestions?

thanks in advance
Matthias

More information about the selinux mailing list