-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2012 12:12 PM, Radha Venkatesh (radvenka) wrote:
Any suggestions on how this issue can be overcome?
Thanks, Radha.
-----Original Message----- From: Radha Venkatesh (radvenka) Sent: Thursday,
October 18, 2012 1:37 PM To: 'Stephen Smalley';
selinux(a)lists.fedoraproject.org Subject: RE: pam_selinux(sshd:session):
Error! Unable to set executable context
What can we do to rectify this now? Any workarounds?
-----Original Message----- From: selinux-bounces(a)lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] On Behalf Of Stephen
Smalley Sent: Thursday, October 18, 2012 12:30 PM To:
selinux(a)lists.fedoraproject.org Subject: Re: pam_selinux(sshd:session):
Error! Unable to set executable context
On 10/18/2012 12:59 PM, Radha Venkatesh (radvenka) wrote:
> We have an selinux user specialuser_u defined. The outputs of the
> semanage command are as seen below
>
> semanager user –l
>
> admin_u user s0 SystemLow-SystemHigh system_r
> sysadm_r
>
> guest_u guest s0 s0
> guest_r
>
> remotesupport_u user s0 SystemLow-SystemHigh system_r
> sysadm_r
>
> root sysadm s0 SystemLow-SystemHigh system_r
> sysadm_r
>
> specialuser_u user s0 s0 system_r sysadm_r
>
> staff_u staff s0 SystemLow-SystemHigh sysadm_r
> staff_r
>
> sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
>
> system_u user s0 SystemLow-SystemHigh system_r
>
> Now, we see the following in our log files
>
> pam_selinux(sshd:session): Error! Unable to set executable context €‡\
> ialuser_u:sysadm_r:sysadm_t.
>
> …
>
> …
>
> …
>
> pam_selinux(sshd:session): Error! Unable to set executable context
> €×ª_ialuser_u:sysadm_r:sysadm_t:s0.
>
> …
>
> …
>
> …
>
> pam_selinux(sshd:session): Error! Unable to set executable context €gb
> ialuser_u:sysadm_r:sysadm_t.
>
> …
>
> …
>
> …
>
> pam_selinux(sshd:session): Error! Unable to set executable context €
> ³_ialuser_u:sysadm_r:sysadm_t:s0.
>
> /etc/pam.d/sshd looks as follows
>
> #%PAM-1.0
>
> auth required pam_stack.so service=system-auth
>
> account required pam_nologin.so
>
> account required pam_stack.so service=system-auth
>
> password required pam_stack.so service=system-auth
>
> session required pam_stack.so service=system-auth
>
> session required pam_loginuid.so
>
> session optional pam_keyinit.so force revoke
>
> session required pam_selinux.so
>
> Could anyone help us with why we are seeing these error messages and why
> the specialuser_u is corrupted with control chars?
Sounds like a memory corruption bug in pam_selinux. Bugzilla?
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing
list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Radha, can you see if selinuxdefcon and selinuxconlist help you diagnose what
is going on. (If they exists on on RHEL6?)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://www.enigmail.net/
iEYEARECAAYFAlCBjDcACgkQrlYvE4MpobMtWACfYZ6pfkyQf5HZqxCWeH/G4+ly
9t8An3RPDS9B0Xdkb62hcfydNH6/4/le
=ZavA
-----END PGP SIGNATURE-----