error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Tue Sep 28 11:56:13 UTC 2010

> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>> Hello
>>
>> I get the following error when I try to log in through ssh (even if
>> selinux is in permissive mode!!!):
>>
>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
>> audit(1285657292.298:286): avc:  denied  { audit_control } for
>> pid=12614
>> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>> tcontext=system_u:system_r:sysadm_t tclass=capability
>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>> ssh_selinux_getctxbyname: Failed to get default SELinux security context
>> for mat
>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> ssh_selinux_getctxbyname: Failed to get default SELinux security context
>> for mat
>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> ssh_selinux_setup_pty:
>> security_compute_relabel: Invalid argument
>>
>> I already went through this post:
>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
>> can't figure out the exact problem.
>>
>> Here is what I've done so far:
>> - Downloaded the latest reference policy from tresys:
>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>> - Compiled and installed it on my sles 11.1
>> - set selinux into permissive mode: (so far so good.. :))
>> sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /selinux
>> Current mode:                   permissive
>> Mode from config file:          permissive
>> Policy version:                 24
>> Policy from config file:        refpolicy
>> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user
>> -a
>> mat_u
>> - Add linux user " mat": useradd mat
>> - Set password for "mat": passwd mat
>> - User mapping: semanage login -s mat_u -a mat
>> - add security context for "mat_u" by copying staff_u's context (don't
>> know if that's needed??!): cp
>> /etc/selinux/refpolicy/contexts/user/staff_u
>> /etc/selinux/refpolicy/contexts/user/mat_u
>> - set boolean for sysadm ssh login to true (don't know if thats
>> needed?!):
>> setsebool ssh_sysadm_login on
>>
>> In other posts I've read something about sepermit.conf and
>> namespace.conf
>> but these files don't exist on my system. What about these files? Do I
>> need them?
>> What's wrong on my system?
>> Why it's not possible to login even if selinux is in permissive mode?
>> Any suggestions?
>
> I'd start by trying to figure out why sshd isn't running in sshd_t (it
> seems to be running in sysadm_t).
>
> Paul.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

Yes, sshd is running in sysadm_t:

# ps axZ | grep sshd
system_u:system_r:sysadm_t       3632 ?        Ss     0:00 /usr/sbin/sshd
-o PidFile=/var/run/sshd.init.pi

# ls -Z /usr/sbin/sshd
system_u:object_r:sshd_exec_t /usr/sbin/sshd

Don't know why it's not sshd_t. I didn't modified something. It's a
standard installation of sles11 with the default reference policy from
tresys.

Maybe this code snippet from policy/modules/services/ssh.te is responsible
for that:
## <desc>
## <p>
## Allow ssh logins as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(ssh_sysadm_login, true)

Any ideas?