error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Daniel J Walsh dwalsh at redhat.com
Tue Sep 28 14:08:47 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/28/2010 09:51 AM, imsand at puzzle.ch wrote:
>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>>>> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>>>>> Hello
>>>>>
>>>>> I get the following error when I try to log in through ssh (even if
>>>>> selinux is in permissive mode!!!):
>>>>>
>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>> type=1400
>>>>> audit(1285657292.298:286): avc:  denied  { audit_control } for
>>>>> pid=12614
>>>>> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>> context
>>>>> for mat
>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>> context
>>>>> for mat
>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>> ssh_selinux_setup_pty:
>>>>> security_compute_relabel: Invalid argument
>>>>>
>>>>> I already went through this post:
>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but
>>> I
>>>>> can't figure out the exact problem.
>>>>>
>>>>> Here is what I've done so far:
>>>>> - Downloaded the latest reference policy from tresys:
>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>> - Compiled and installed it on my sles 11.1
>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>> sestatus
>>>>> SELinux status:                 enabled
>>>>> SELinuxfs mount:                /selinux
>>>>> Current mode:                   permissive
>>>>> Mode from config file:          permissive
>>>>> Policy version:                 24
>>>>> Policy from config file:        refpolicy
>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P
>>> user
>>>>> -a
>>>>> mat_u
>>>>> - Add linux user " mat": useradd mat
>>>>> - Set password for "mat": passwd mat
>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>> - add security context for "mat_u" by copying staff_u's context
>>> (don't
>>>>> know if that's needed??!): cp
>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>> needed?!):
>>>>> setsebool ssh_sysadm_login on
>>>>>
>>>>> In other posts I've read something about sepermit.conf and
>>>>> namespace.conf
>>>>> but these files don't exist on my system. What about these files? Do
>>> I
>>>>> need them?
>>>>> What's wrong on my system?
>>>>> Why it's not possible to login even if selinux is in permissive mode?
>>>>> Any suggestions?
>>>>
>>>> I'd start by trying to figure out why sshd isn't running in sshd_t (it
>>>> seems to be running in sysadm_t).
>>>>
>>>> Paul.
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>
>>> Yes, sshd is running in sysadm_t:
>>>
>>> # ps axZ | grep sshd
>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>> /usr/sbin/sshd
>>> -o PidFile=/var/run/sshd.init.pi
>>>
>>> # ls -Z /usr/sbin/sshd
>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>
>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>> standard installation of sles11 with the default reference policy from
>>> tresys.
>>>
>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>> responsible
>>> for that:
>>> ## <desc>
>>> ## <p>
>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>> ## </p>
>>> ## </desc>
>>> gen_tunable(ssh_sysadm_login, true)
>>>
>>> Any ideas?
>>
>> Do you have boolean init_upstart set to on? if not try setting it to on.
>> I do not believe ssh_sysadm_login boolean works currently but i may be
>> mistaken.
>>>
>>> --
> Yeah, setting init_upstart to on did the trick! THANK A LOT!
> Do you know why this prevents the user from logging in through ssh even if
> selinux is set to permissive??
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably a bug in pam_selinux or sshd if it does not use pam_selinux.
Something is not respecting the permissive mode flag.  Of course you are
asking about sles on the Fedora mailing list.. :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyh9u8ACgkQrlYvE4MpobNEKgCeKGEKvOQnlaCtksejbo4C5ekt
8vQAnRZ7xvDtK02Vh5PH7r0HtAw/TgfG
=svkR
-----END PGP SIGNATURE-----

More information about the selinux mailing list