error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Paul Howarth paul at city-fan.org
Tue Sep 28 08:51:08 UTC 2010 

On 28/09/10 08:24, imsand at puzzle.ch wrote:
> Hello
>
> I get the following error when I try to log in through ssh (even if
> selinux is in permissive mode!!!):
>
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
> audit(1285657292.298:286): avc:  denied  { audit_control } for  pid=12614
> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
> tcontext=system_u:system_r:sysadm_t tclass=capability
> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> for mat
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> for mat
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
>
> I already went through this post:
> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
> can't figure out the exact problem.
>
> Here is what I've done so far:
> - Downloaded the latest reference policy from tresys:
> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
> - Compiled and installed it on my sles 11.1
> - set selinux into permissive mode: (so far so good.. :))
> sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        refpolicy
> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user -a
> mat_u
> - Add linux user " mat": useradd mat
> - Set password for "mat": passwd mat
> - User mapping: semanage login -s mat_u -a mat
> - add security context for "mat_u" by copying staff_u's context (don't
> know if that's needed??!): cp /etc/selinux/refpolicy/contexts/user/staff_u
> /etc/selinux/refpolicy/contexts/user/mat_u
> - set boolean for sysadm ssh login to true (don't know if thats needed?!):
> setsebool ssh_sysadm_login on
>
> In other posts I've read something about sepermit.conf and namespace.conf
> but these files don't exist on my system. What about these files? Do I
> need them?
> What's wrong on my system?
> Why it's not possible to login even if selinux is in permissive mode?
> Any suggestions?

I'd start by trying to figure out why sshd isn't running in sshd_t (it 
seems to be running in sysadm_t).

Paul.

More information about the selinux mailing list