error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

Daniel J Walsh dwalsh at redhat.com
Wed Sep 29 14:19:32 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/29/2010 09:33 AM, imsand at puzzle.ch wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 09/29/2010 08:23 AM, Daniel J Walsh wrote:
>>> On 09/29/2010 03:26 AM, imsand at puzzle.ch wrote:
>>>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand at puzzle.ch wrote:
>>>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>>>>>>>>> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>>>>>>>>>> Hello
>>>>>>>>>>
>>>>>>>>>> I get the following error when I try to log in through ssh (even
>>>>>> if
>>>>>>>>>> selinux is in permissive mode!!!):
>>>>>>>>>>
>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port 58912
>>>>>> ssh2
>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>>>>>>> type=1400
>>>>>>>>>> audit(1285657292.298:286): avc:  denied  { audit_control } for
>>>>>>>>>> pid=12614
>>>>>>>>>> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>>>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>>>> context
>>>>>>>>>> for mat
>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux security
>>>>>>>> context
>>>>>>>>>> for mat
>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>> ssh_selinux_setup_pty:
>>>>>>>>>> security_compute_relabel: Invalid argument
>>>>>>>>>>
>>>>>>>>>> I already went through this post:
>>>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>>>>>> but
>>>>>>>> I
>>>>>>>>>> can't figure out the exact problem.
>>>>>>>>>>
>>>>>>>>>> Here is what I've done so far:
>>>>>>>>>> - Downloaded the latest reference policy from tresys:
>>>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>>>>>>> - Compiled and installed it on my sles 11.1
>>>>>>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>>>>>>> sestatus
>>>>>>>>>> SELinux status:                 enabled
>>>>>>>>>> SELinuxfs mount:                /selinux
>>>>>>>>>> Current mode:                   permissive
>>>>>>>>>> Mode from config file:          permissive
>>>>>>>>>> Policy version:                 24
>>>>>>>>>> Policy from config file:        refpolicy
>>>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r"
>>>>>>>>>> -P
>>>>>>>> user
>>>>>>>>>> -a
>>>>>>>>>> mat_u
>>>>>>>>>> - Add linux user " mat": useradd mat
>>>>>>>>>> - Set password for "mat": passwd mat
>>>>>>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>>>>>>> - add security context for "mat_u" by copying staff_u's context
>>>>>>>> (don't
>>>>>>>>>> know if that's needed??!): cp
>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>>>>>>> needed?!):
>>>>>>>>>> setsebool ssh_sysadm_login on
>>>>>>>>>>
>>>>>>>>>> In other posts I've read something about sepermit.conf and
>>>>>>>>>> namespace.conf
>>>>>>>>>> but these files don't exist on my system. What about these files?
>>>>>> Do
>>>>>>>> I
>>>>>>>>>> need them?
>>>>>>>>>> What's wrong on my system?
>>>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>>> mode?
>>>>>>>>>> Any suggestions?
>>>>>>>>>
>>>>>>>>> I'd start by trying to figure out why sshd isn't running in sshd_t
>>>>>> (it
>>>>>>>>> seems to be running in sysadm_t).
>>>>>>>>>
>>>>>>>>> Paul.
>>>>>>>>> --
>>>>>>>>> selinux mailing list
>>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>
>>>>>>>>
>>>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>>>
>>>>>>>> # ps axZ | grep sshd
>>>>>>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>>>>>>> /usr/sbin/sshd
>>>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>>>
>>>>>>>> # ls -Z /usr/sbin/sshd
>>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>>>
>>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's a
>>>>>>>> standard installation of sles11 with the default reference policy
>>>>>> from
>>>>>>>> tresys.
>>>>>>>>
>>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>>>> responsible
>>>>>>>> for that:
>>>>>>>> ## <desc>
>>>>>>>> ## <p>
>>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>>>> ## </p>
>>>>>>>> ## </desc>
>>>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>
>>>>>>> Do you have boolean init_upstart set to on? if not try setting it to
>>>>>> on.
>>>>>>> I do not believe ssh_sysadm_login boolean works currently but i may
>>>>>>> be
>>>>>>> mistaken.
>>>>>
>>>>> ssh_sysadm_login DOES actually work you just need to specify your role
>>>>> on
>>>>> login...
>>>>>
>>>> I suppose to edit /etc/selinux/refpolicy/src/policy/config/local.users
>>>> for
>>>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
>>>> policy. But after login the the context is still
>>>> "user_u:user_r:user_t".
>>>> the user should be able to change the role to sysadm_r:
>>>> ----
>>>> semanage user -l
>>>> SELinux User    SELinux Roles
>>>> mat_u           staff_r sysadm_r
>>>> ----
>>>> Doing it explicitly does not work either:
>>>> ----
>>>> newrole -r staff_r
>>>> user_u:staff_r:staff_t is not a valid context
>>>> ----
>>>> Don't know why. Restricted by a special policy?
>>>
>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> semanage login -l
>>>
>> - --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> What does
>>
>>> selinuxdefcon mat system_u:system_r:sshd_t:s0
>>
>> show
>>> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0
>> staff_u:staff_r:staff_t:s0-s0:c0.c1023
> 
> selinuxdefcon mat system_u:system_r:sshd_t
> mat_u:staff_r:staff_t
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
So if you ssh to the box now you should end up with staff_t, which is
what you want.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyjSvMACgkQrlYvE4MpobPptwCgtKIj2NFxTO4b4SMyRkb/qUS+
5PQAoNWjk3rIa9wqDonJ8s3+Bx8zrgy0
=PHzl
-----END PGP SIGNATURE-----

More information about the selinux mailing list