error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Daniel J Walsh dwalsh at redhat.com
Wed Sep 29 12:27:15 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/29/2010 08:23 AM, Daniel J Walsh wrote:
> On 09/29/2010 03:26 AM, imsand at puzzle.ch wrote:
>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand at puzzle.ch wrote:
>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>>>>>>> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>>>>>>>> Hello
>>>>>>>>
>>>>>>>> I get the following error when I try to log in through ssh (even
>>>> if
>>>>>>>> selinux is in permissive mode!!!):
>>>>>>>>
>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port 58912
>>>> ssh2
>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>>>>> type=1400
>>>>>>>> audit(1285657292.298:286): avc:  denied  { audit_control } for
>>>>>>>> pid=12614
>>>>>>>> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>> context
>>>>>>>> for mat
>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>> context
>>>>>>>> for mat
>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>> ssh_selinux_setup_pty:
>>>>>>>> security_compute_relabel: Invalid argument
>>>>>>>>
>>>>>>>> I already went through this post:
>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>>>> but
>>>>>> I
>>>>>>>> can't figure out the exact problem.
>>>>>>>>
>>>>>>>> Here is what I've done so far:
>>>>>>>> - Downloaded the latest reference policy from tresys:
>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>>>>> - Compiled and installed it on my sles 11.1
>>>>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>>>>> sestatus
>>>>>>>> SELinux status:                 enabled
>>>>>>>> SELinuxfs mount:                /selinux
>>>>>>>> Current mode:                   permissive
>>>>>>>> Mode from config file:          permissive
>>>>>>>> Policy version:                 24
>>>>>>>> Policy from config file:        refpolicy
>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P
>>>>>> user
>>>>>>>> -a
>>>>>>>> mat_u
>>>>>>>> - Add linux user " mat": useradd mat
>>>>>>>> - Set password for "mat": passwd mat
>>>>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>>>>> - add security context for "mat_u" by copying staff_u's context
>>>>>> (don't
>>>>>>>> know if that's needed??!): cp
>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>>>>> needed?!):
>>>>>>>> setsebool ssh_sysadm_login on
>>>>>>>>
>>>>>>>> In other posts I've read something about sepermit.conf and
>>>>>>>> namespace.conf
>>>>>>>> but these files don't exist on my system. What about these files?
>>>> Do
>>>>>> I
>>>>>>>> need them?
>>>>>>>> What's wrong on my system?
>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>> mode?
>>>>>>>> Any suggestions?
>>>>>>>
>>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t
>>>> (it
>>>>>>> seems to be running in sysadm_t).
>>>>>>>
>>>>>>> Paul.
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>
>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>
>>>>>> # ps axZ | grep sshd
>>>>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>>>>> /usr/sbin/sshd
>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>
>>>>>> # ls -Z /usr/sbin/sshd
>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>
>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>>>>> standard installation of sles11 with the default reference policy
>>>> from
>>>>>> tresys.
>>>>>>
>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>> responsible
>>>>>> for that:
>>>>>> ## <desc>
>>>>>> ## <p>
>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>> ## </p>
>>>>>> ## </desc>
>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>
>>>>>> Any ideas?
>>>>>
>>>>> Do you have boolean init_upstart set to on? if not try setting it to
>>>> on.
>>>>> I do not believe ssh_sysadm_login boolean works currently but i may be
>>>>> mistaken.
>>>
>>> ssh_sysadm_login DOES actually work you just need to specify your role on
>>> login...
>>>
>> I suppose to edit /etc/selinux/refpolicy/src/policy/config/local.users for
>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
>> policy. But after login the the context is still "user_u:user_r:user_t".
>> the user should be able to change the role to sysadm_r:
>> ----
>> semanage user -l
>> SELinux User    SELinux Roles
>> mat_u           staff_r sysadm_r
>> ----
>> Doing it explicitly does not work either:
>> ----
>> newrole -r staff_r
>> user_u:staff_r:staff_t is not a valid context
>> ----
>> Don't know why. Restricted by a special policy?
> 
> 
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> semanage login -l
> 
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

What does

> selinuxdefcon mat system_u:system_r:sshd_t:s0

show
> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0
staff_u:staff_r:staff_t:s0-s0:c0.c1023
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyjMKMACgkQrlYvE4MpobPOqwCgqMT76ST/5mCn80zp+DjoSHhM
5m0An1Ebg7xdgnqMmcoFff1Y+T3Hn5dm
=xAsY
-----END PGP SIGNATURE-----

More information about the selinux mailing list