pam_selinux(sshd:session): Error! Unable to set executable context
Radha Venkatesh (radvenka)
radvenka at cisco.com
Fri Oct 19 17:25:20 UTC 2012
Dan,
This issue is at a customer deployment which has RHEL 5, not RHEL 6.
Thanks,
Radha.
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com]
Sent: Friday, October 19, 2012 10:22 AM
To: Radha Venkatesh (radvenka)
Cc: Stephen Smalley; selinux at lists.fedoraproject.org
Subject: Re: pam_selinux(sshd:session): Error! Unable to set executable context
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2012 12:12 PM, Radha Venkatesh (radvenka) wrote:
> Any suggestions on how this issue can be overcome?
>
> Thanks, Radha.
>
> -----Original Message----- From: Radha Venkatesh (radvenka) Sent: Thursday,
> October 18, 2012 1:37 PM To: 'Stephen Smalley';
> selinux at lists.fedoraproject.org Subject: RE: pam_selinux(sshd:session):
> Error! Unable to set executable context
>
> What can we do to rectify this now? Any workarounds?
>
> -----Original Message----- From: selinux-bounces at lists.fedoraproject.org
> [mailto:selinux-bounces at lists.fedoraproject.org] On Behalf Of Stephen
> Smalley Sent: Thursday, October 18, 2012 12:30 PM To:
> selinux at lists.fedoraproject.org Subject: Re: pam_selinux(sshd:session):
> Error! Unable to set executable context
>
> On 10/18/2012 12:59 PM, Radha Venkatesh (radvenka) wrote:
>> We have an selinux user specialuser_u defined. The outputs of the
>> semanage command are as seen below
>>
>> semanager user –l
>>
>> admin_u user s0 SystemLow-SystemHigh system_r
>> sysadm_r
>>
>> guest_u guest s0 s0
>> guest_r
>>
>> remotesupport_u user s0 SystemLow-SystemHigh system_r
>> sysadm_r
>>
>> root sysadm s0 SystemLow-SystemHigh system_r
>> sysadm_r
>>
>> specialuser_u user s0 s0 system_r sysadm_r
>>
>> staff_u staff s0 SystemLow-SystemHigh sysadm_r
>> staff_r
>>
>> sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
>>
>> system_u user s0 SystemLow-SystemHigh system_r
>>
>> Now, we see the following in our log files
>>
>> pam_selinux(sshd:session): Error! Unable to set executable context €‡\
>> ialuser_u:sysadm_r:sysadm_t.
>>
>> …
>>
>> …
>>
>> …
>>
>> pam_selinux(sshd:session): Error! Unable to set executable context
>> €×ª_ialuser_u:sysadm_r:sysadm_t:s0.
>>
>> …
>>
>> …
>>
>> …
>>
>> pam_selinux(sshd:session): Error! Unable to set executable context €gb
>> ialuser_u:sysadm_r:sysadm_t.
>>
>> …
>>
>> …
>>
>> …
>>
>> pam_selinux(sshd:session): Error! Unable to set executable context €
>> ³_ialuser_u:sysadm_r:sysadm_t:s0.
>>
>> /etc/pam.d/sshd looks as follows
>>
>> #%PAM-1.0
>>
>> auth required pam_stack.so service=system-auth
>>
>> account required pam_nologin.so
>>
>> account required pam_stack.so service=system-auth
>>
>> password required pam_stack.so service=system-auth
>>
>> session required pam_stack.so service=system-auth
>>
>> session required pam_loginuid.so
>>
>> session optional pam_keyinit.so force revoke
>>
>> session required pam_selinux.so
>>
>> Could anyone help us with why we are seeing these error messages and why
>> the specialuser_u is corrupted with control chars?
>
> Sounds like a memory corruption bug in pam_selinux. Bugzilla?
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing
> list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Radha, can you see if selinuxdefcon and selinuxconlist help you diagnose what
is going on. (If they exists on on RHEL6?)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCBjDcACgkQrlYvE4MpobMtWACfYZ6pfkyQf5HZqxCWeH/G4+ly
9t8An3RPDS9B0Xdkb62hcfydNH6/4/le
=ZavA
-----END PGP SIGNATURE-----
More information about the selinux
mailing list