error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

imsand at puzzle.ch imsand at puzzle.ch
Wed Sep 29 07:26:26 UTC 2010 

> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand at puzzle.ch wrote:
>> > On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>> >> > On 28/09/10 08:24, imsand at puzzle.ch wrote:
>> >> >> Hello
>> >> >>
>> >> >> I get the following error when I try to log in through ssh (even
>> if
>> >> >> selinux is in permissive mode!!!):
>> >> >>
>> >> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>> >> >> keyboard-interactive/pam for mat from 131.102.233.127 port 58912
>> ssh2
>> >> >> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>> >> type=1400
>> >> >> audit(1285657292.298:286): avc:  denied  { audit_control } for
>> >> >> pid=12614
>> >> >> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>> >> >> tcontext=system_u:system_r:sysadm_t tclass=capability
>> >> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>> >> >> ssh_selinux_getctxbyname: Failed to get default SELinux security
>> >> context
>> >> >> for mat
>> >> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> >> >> ssh_selinux_getctxbyname: Failed to get default SELinux security
>> >> context
>> >> >> for mat
>> >> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> >> >> ssh_selinux_setup_pty:
>> >> >> security_compute_relabel: Invalid argument
>> >> >>
>> >> >> I already went through this post:
>> >> >> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>> but
>> >> I
>> >> >> can't figure out the exact problem.
>> >> >>
>> >> >> Here is what I've done so far:
>> >> >> - Downloaded the latest reference policy from tresys:
>> >> >> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>> >> >> - Compiled and installed it on my sles 11.1
>> >> >> - set selinux into permissive mode: (so far so good.. :))
>> >> >> sestatus
>> >> >> SELinux status:                 enabled
>> >> >> SELinuxfs mount:                /selinux
>> >> >> Current mode:                   permissive
>> >> >> Mode from config file:          permissive
>> >> >> Policy version:                 24
>> >> >> Policy from config file:        refpolicy
>> >> >> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P
>> >> user
>> >> >> -a
>> >> >> mat_u
>> >> >> - Add linux user " mat": useradd mat
>> >> >> - Set password for "mat": passwd mat
>> >> >> - User mapping: semanage login -s mat_u -a mat
>> >> >> - add security context for "mat_u" by copying staff_u's context
>> >> (don't
>> >> >> know if that's needed??!): cp
>> >> >> /etc/selinux/refpolicy/contexts/user/staff_u
>> >> >> /etc/selinux/refpolicy/contexts/user/mat_u
>> >> >> - set boolean for sysadm ssh login to true (don't know if thats
>> >> >> needed?!):
>> >> >> setsebool ssh_sysadm_login on
>> >> >>
>> >> >> In other posts I've read something about sepermit.conf and
>> >> >> namespace.conf
>> >> >> but these files don't exist on my system. What about these files?
>> Do
>> >> I
>> >> >> need them?
>> >> >> What's wrong on my system?
>> >> >> Why it's not possible to login even if selinux is in permissive
>> mode?
>> >> >> Any suggestions?
>> >> >
>> >> > I'd start by trying to figure out why sshd isn't running in sshd_t
>> (it
>> >> > seems to be running in sysadm_t).
>> >> >
>> >> > Paul.
>> >> > --
>> >> > selinux mailing list
>> >> > selinux at lists.fedoraproject.org
>> >> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >> >
>> >>
>> >> Yes, sshd is running in sysadm_t:
>> >>
>> >> # ps axZ | grep sshd
>> >> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>> >> /usr/sbin/sshd
>> >> -o PidFile=/var/run/sshd.init.pi
>> >>
>> >> # ls -Z /usr/sbin/sshd
>> >> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>> >>
>> >> Don't know why it's not sshd_t. I didn't modified something. It's a
>> >> standard installation of sles11 with the default reference policy
>> from
>> >> tresys.
>> >>
>> >> Maybe this code snippet from policy/modules/services/ssh.te is
>> >> responsible
>> >> for that:
>> >> ## <desc>
>> >> ## <p>
>> >> ## Allow ssh logins as sysadm_r:sysadm_t
>> >> ## </p>
>> >> ## </desc>
>> >> gen_tunable(ssh_sysadm_login, true)
>> >>
>> >> Any ideas?
>> >
>> > Do you have boolean init_upstart set to on? if not try setting it to
>> on.
>> > I do not believe ssh_sysadm_login boolean works currently but i may be
>> > mistaken.
>
> ssh_sysadm_login DOES actually work you just need to specify your role on
> login...
>
I suppose to edit /etc/selinux/refpolicy/src/policy/config/local.users for
doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
policy. But after login the the context is still "user_u:user_r:user_t".
the user should be able to change the role to sysadm_r:
----
semanage user -l
SELinux User    SELinux Roles
mat_u           staff_r sysadm_r
----
Doing it explicitly does not work either:
----
newrole -r staff_r
user_u:staff_r:staff_t is not a valid context
----
Don't know why. Restricted by a special policy?

More information about the selinux mailing list