Rawhide: selinux: "Unable to get valid context for <username>"
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 20 11:05:17 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/19/2011 12:59 PM, Richard W.M. Jones wrote:
> On Sun, Jun 19, 2011 at 06:42:34PM +0200, Jim Meyering wrote:
>> Richard W.M. Jones wrote:
>>> Anyone seeing this error? Unless I boot with enforcing=0, I see
>>> this error when I try to log in as any user:
>>>
>>> Unable to get valid context for <username>
>>>
>>> It seems like it's just started happening, since I upgraded something
>>> within the last 1-2 weeks.
>>
>> Hi Rich,
>>
>> I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-)
>> and don't see any problem when logging in via ssh:
>>
>> h$ ssh r date
>> Sun Jun 19 18:34:32 CEST 2011
>> h$ ssh r
>> Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1
>> r$ :
>>
>> Everything is up to date, at least wrt whatever mirror I'm using.
>> My shell on that system is zsh; but I got the same result when
>> temporarily switching it to bash.
>
> I was still seeing it, even after just updating everything and
> rebooting the VM:
>
> $ ssh 192.168.122.151
> Unable to get valid context for rjones
> Last login: Sun Jun 19 17:46:29 2011 from 192.168.122.1
> Connection to 192.168.122.151 closed.
>
> However I then touched /.autorelabel using guestfish:
>
> # guestfish -i --rw -d FedoraRawhidex64 touch /.autorelabel
>
> (it turns out I've written about this before, but had forgotten, see
> https://rwmj.wordpress.com/2010/01/06/tip-autorelabel-a-vm/).
>
> And that fixed it! However I don't know why ...
>
> Rich.
>
If a login program says "Unable to get valid context for <username>" it
almost certainly means the login program is running with the wrong
context. The login program asks SELinux what is the context to assign
to <username> when it logs in.
This means sshd should ask what context should sshd_t login dwalsh. But
if sshd is running with the wrong context (almost assuredly caused by a
labeling problem.) the kernel/libselinux will return an error, and the
login program will ask the user.
For example sshd running as initrc_t or kernel_t would get an error.
Usually a relabel will clean up the error. If you see this and can get
a login shell run "ps -eZ | grep sshd" to see what context the login
program is running as.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3/KW0ACgkQrlYvE4MpobNk6ACdH8T3T7EV7vOx9hsyG//WdtWl
BCUAnRkXrX9ozj8Y8TOeLGuG8+kPohpF
=zEu8
-----END PGP SIGNATURE-----
More information about the devel
mailing list