Rawhide: selinux: "Unable to get valid context for <username>"

Daniel J Walsh dwalsh at redhat.com
Mon Jun 20 11:05:17 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/19/2011 12:59 PM, Richard W.M. Jones wrote:
> On Sun, Jun 19, 2011 at 06:42:34PM +0200, Jim Meyering wrote:
>> Richard W.M. Jones wrote:
>>> Anyone seeing this error?  Unless I boot with enforcing=0, I see
>>> this error when I try to log in as any user:
>>>
>>>   Unable to get valid context for <username>
>>>
>>> It seems like it's just started happening, since I upgraded something
>>> within the last 1-2 weeks.
>>
>> Hi Rich,
>>
>> I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-)
>> and don't see any problem when logging in via ssh:
>>
>>     h$ ssh r date
>>     Sun Jun 19 18:34:32 CEST 2011
>>     h$ ssh r
>>     Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1
>>     r$                                                                          :
>>
>> Everything is up to date, at least wrt whatever mirror I'm using.
>> My shell on that system is zsh;  but I got the same result when
>> temporarily switching it to bash.
> 
> I was still seeing it, even after just updating everything and
> rebooting the VM:
> 
> $ ssh 192.168.122.151
> Unable to get valid context for rjones
> Last login: Sun Jun 19 17:46:29 2011 from 192.168.122.1
> Connection to 192.168.122.151 closed.
> 
> However I then touched /.autorelabel using guestfish:
> 
> # guestfish -i --rw -d FedoraRawhidex64 touch /.autorelabel
> 
> (it turns out I've written about this before, but had forgotten, see
> https://rwmj.wordpress.com/2010/01/06/tip-autorelabel-a-vm/).
> 
> And that fixed it!  However I don't know why ...
> 
> Rich.
> 


If a login program says "Unable to get valid context for <username>" it
almost certainly means the login program is running with the wrong
context.  The login program asks SELinux what is the context to assign
to <username> when it logs in.

This means sshd should ask what context should sshd_t login dwalsh.  But
if sshd is running with the wrong context (almost assuredly caused by a
labeling problem.) the kernel/libselinux will return an error, and the
login program will ask the user.

For example sshd running as initrc_t or kernel_t would get an error.
Usually a relabel will clean up the error.  If you see this and can get
a login shell  run "ps -eZ | grep sshd" to see what context the login
program is running as.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/KW0ACgkQrlYvE4MpobNk6ACdH8T3T7EV7vOx9hsyG//WdtWl
BCUAnRkXrX9ozj8Y8TOeLGuG8+kPohpF
=zEu8
-----END PGP SIGNATURE-----

More information about the devel mailing list