error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Paul Howarth paul at city-fan.org
Wed Sep 29 09:45:38 UTC 2010 

On 28/09/10 16:10, imsand at puzzle.ch wrote:
>> On 28/09/10 15:08, Daniel J Walsh wrote:
>>>>>>>> What's wrong on my system?
>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>>>>> mode?
>>>>>>>> Any suggestions?
>>>>>>>
>>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t
>>>>>>> (it
>>>>>>> seems to be running in sysadm_t).
>>>>>>>
>>>>>>> Paul.
>>>>>>>
>>>>>>
>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>
>>>>>> # ps axZ | grep sshd
>>>>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>>>>> /usr/sbin/sshd
>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>
>>>>>> # ls -Z /usr/sbin/sshd
>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>
>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>>>>> standard installation of sles11 with the default reference policy
>>>>>> from
>>>>>> tresys.
>>>>>>
>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>> responsible
>>>>>> for that:
>>>>>> ##<desc>
>>>>>> ##<p>
>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>> ##</p>
>>>>>> ##</desc>
>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>
>>>>>> Any ideas?
>>>>>
>>>>> Do you have boolean init_upstart set to on? if not try setting it to
>>>>> on.
>>>>> I do not believe ssh_sysadm_login boolean works currently but i may be
>>>>> mistaken.
>>>>
>>>> Yeah, setting init_upstart to on did the trick! THANK A LOT!
>>>> Do you know why this prevents the user from logging in through ssh even
>>>> if
>>>> selinux is set to permissive??
>>>>
>>> Probably a bug in pam_selinux or sshd if it does not use pam_selinux.
>>> Something is not respecting the permissive mode flag.  Of course you are
>>> asking about sles on the Fedora mailing list.. :^)
>>
>> You'd see the same problem in Fedora if sshd wasn't running in sshd_t.
>> The SSH server tries to compute the correct context for the session,
>> fails, and bails out even in permissive mode. I saw this happen in the
>> curl test suite, where we start an SSH server and try connecting to it.
>>
>> Paul.
>>
> After setting init_upstart = on sshd runs in sshd_t.
> Do you know why? Can't sshd do a domain transition if init_upstart is
> disabled?

There's more on this here:

https://bugzilla.novell.com/show_bug.cgi?id=582399

Paul.

More information about the selinux mailing list