error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Daniel J Walsh dwalsh at redhat.com
Fri Oct 1 12:47:42 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 03:52 AM, Matthias Imsand wrote:
> 
> On 09/30/2010 08:24 PM, Daniel J Walsh wrote:
>> On 09/30/2010 10:18 AM, imsand at puzzle.ch wrote:
>>> another interesting thing is the following:
>>> (seen with the debug option in pam_selinux)
> 
>>> assuming that the linux user is mat and the corresponding selinux user is
>>> mat_u. during ssh login this happens:
> 
>>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session
>>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session
>>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Username=
>>> mat SELinux User = mat_u Level= (null)
>>> Sep 30 16:09:49 testsrv  sshd[4328]: pam_selinux(sshd:session): set mat
>>> security context to mat_u:staff_r:staff_t
>>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat key
>>> creation context to mat_u:staff_r:staff_t
> 
>>> As we can see, the user mapping works as desired and the new choosen
>>> context should be all right => mat_u:staff_r:staff_t.
> 
>>> But then, when I do an id -Z after successful login, the shell's context
>>> is context=user_u:user_r:user_t.
> 
>>> Very strange....
> 
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
>> You got me.  If you create the mat_u user and login does the pam_selinux
>> session look different?
> 
>> Why don't you ask on the upstream selinux list.  More sles experience is
>> probably there that is not monitoring this list.
>>  <selinux at tycho.nsa.gov>
> 
> no, with mat_u it looks similar.
> Username= mat_u SELinux User = mat_u Level= (null)
> 
> Do you know which library / process is responsible for actually changing
> the context to mat_u:staff_r:staff_t? Or should it be done directly by
> the pam_selinux.so?
> 
> Yes, tank you for the recommendation. I will ask on that list as well..
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

These functions are all called in pam_selinux including

 getseuserbyname(const char *linuxuser, char **seuser, char **level);

And setexeccon.

One thing of not is the default user is user_u which seems to be what
you are seeing.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyl2G4ACgkQrlYvE4MpobPO9QCdGZipXjq6Hj0ZYgmr0lulFdKF
LOMAnjzdeKvNgbewJ+3G8gh6TAFjrhp2
=4C/A
-----END PGP SIGNATURE-----


More information about the selinux mailing list