error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Wed Sep 29 12:53:29 UTC 2010

> On 28/09/10 16:10, imsand at puzzle.ch wrote:
>>> On 28/09/10 15:08, Daniel J Walsh wrote:
>>>>>>>>> What's wrong on my system?
>>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>>>>>> mode?
>>>>>>>>> Any suggestions?
>>>>>>>>
>>>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t
>>>>>>>> (it
>>>>>>>> seems to be running in sysadm_t).
>>>>>>>>
>>>>>>>> Paul.
>>>>>>>>
>>>>>>>
>>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>>
>>>>>>> # ps axZ | grep sshd
>>>>>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>>>>>> /usr/sbin/sshd
>>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>>
>>>>>>> # ls -Z /usr/sbin/sshd
>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>>
>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>>>>>> standard installation of sles11 with the default reference policy
>>>>>>> from
>>>>>>> tresys.
>>>>>>>
>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>>> responsible
>>>>>>> for that:
>>>>>>> ##<desc>
>>>>>>> ##<p>
>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>>> ##</p>
>>>>>>> ##</desc>
>>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>>
>>>>>>> Any ideas?
>>>>>>
>>>>>> Do you have boolean init_upstart set to on? if not try setting it to
>>>>>> on.
>>>>>> I do not believe ssh_sysadm_login boolean works currently but i may
>>>>>> be
>>>>>> mistaken.
>>>>>
>>>>> Yeah, setting init_upstart to on did the trick! THANK A LOT!
>>>>> Do you know why this prevents the user from logging in through ssh
>>>>> even
>>>>> if
>>>>> selinux is set to permissive??
>>>>>
>>>> Probably a bug in pam_selinux or sshd if it does not use pam_selinux.
>>>> Something is not respecting the permissive mode flag.  Of course you
>>>> are
>>>> asking about sles on the Fedora mailing list.. :^)
>>>
>>> You'd see the same problem in Fedora if sshd wasn't running in sshd_t.
>>> The SSH server tries to compute the correct context for the session,
>>> fails, and bails out even in permissive mode. I saw this happen in the
>>> curl test suite, where we start an SSH server and try connecting to it.
>>>
>>> Paul.
>>>
>> After setting init_upstart = on sshd runs in sshd_t.
>> Do you know why? Can't sshd do a domain transition if init_upstart is
>> disabled?
>
> There's more on this here:
>
> https://bugzilla.novell.com/show_bug.cgi?id=582399
>
> Paul.
> --
Thank you for the link. I rename "/etc/initscript" like described it the
report. now, sshing is working in both cases (init_upstart = on | off).
Thats fine.
But the role transition still not work.