error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

imsand at puzzle.ch imsand at puzzle.ch
Wed Sep 29 14:36:10 UTC 2010 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/29/2010 09:33 AM, imsand at puzzle.ch wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 09/29/2010 08:23 AM, Daniel J Walsh wrote:
>>>> On 09/29/2010 03:26 AM, imsand at puzzle.ch wrote:
>>>>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand at puzzle.ch wrote:
>>>>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>>>>>>>>>> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>>>>>>>>>>> Hello
>>>>>>>>>>>
>>>>>>>>>>> I get the following error when I try to log in through ssh
>>>>>>>>>>> (even
>>>>>>> if
>>>>>>>>>>> selinux is in permissive mode!!!):
>>>>>>>>>>>
>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port
>>>>>>>>>>> 58912
>>>>>>> ssh2
>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>>>>>>>> type=1400
>>>>>>>>>>> audit(1285657292.298:286): avc:  denied  { audit_control } for
>>>>>>>>>>> pid=12614
>>>>>>>>>>> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
>>>>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux
>>>>>>>>>>> security
>>>>>>>>> context
>>>>>>>>>>> for mat
>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux
>>>>>>>>>>> security
>>>>>>>>> context
>>>>>>>>>>> for mat
>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>>> ssh_selinux_setup_pty:
>>>>>>>>>>> security_compute_relabel: Invalid argument
>>>>>>>>>>>
>>>>>>>>>>> I already went through this post:
>>>>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>>>>>>> but
>>>>>>>>> I
>>>>>>>>>>> can't figure out the exact problem.
>>>>>>>>>>>
>>>>>>>>>>> Here is what I've done so far:
>>>>>>>>>>> - Downloaded the latest reference policy from tresys:
>>>>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>>>>>>>> - Compiled and installed it on my sles 11.1
>>>>>>>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>>>>>>>> sestatus
>>>>>>>>>>> SELinux status:                 enabled
>>>>>>>>>>> SELinuxfs mount:                /selinux
>>>>>>>>>>> Current mode:                   permissive
>>>>>>>>>>> Mode from config file:          permissive
>>>>>>>>>>> Policy version:                 24
>>>>>>>>>>> Policy from config file:        refpolicy
>>>>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r"
>>>>>>>>>>> -P
>>>>>>>>> user
>>>>>>>>>>> -a
>>>>>>>>>>> mat_u
>>>>>>>>>>> - Add linux user " mat": useradd mat
>>>>>>>>>>> - Set password for "mat": passwd mat
>>>>>>>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>>>>>>>> - add security context for "mat_u" by copying staff_u's context
>>>>>>>>> (don't
>>>>>>>>>>> know if that's needed??!): cp
>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>>>>>>>> needed?!):
>>>>>>>>>>> setsebool ssh_sysadm_login on
>>>>>>>>>>>
>>>>>>>>>>> In other posts I've read something about sepermit.conf and
>>>>>>>>>>> namespace.conf
>>>>>>>>>>> but these files don't exist on my system. What about these
>>>>>>>>>>> files?
>>>>>>> Do
>>>>>>>>> I
>>>>>>>>>>> need them?
>>>>>>>>>>> What's wrong on my system?
>>>>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>>>> mode?
>>>>>>>>>>> Any suggestions?
>>>>>>>>>>
>>>>>>>>>> I'd start by trying to figure out why sshd isn't running in
>>>>>>>>>> sshd_t
>>>>>>> (it
>>>>>>>>>> seems to be running in sysadm_t).
>>>>>>>>>>
>>>>>>>>>> Paul.
>>>>>>>>>> --
>>>>>>>>>> selinux mailing list
>>>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>>>>
>>>>>>>>> # ps axZ | grep sshd
>>>>>>>>> system_u:system_r:sysadm_t       3632 ?        Ss     0:00
>>>>>>>>> /usr/sbin/sshd
>>>>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>>>>
>>>>>>>>> # ls -Z /usr/sbin/sshd
>>>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>>>>
>>>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's
>>>>>>>>> a
>>>>>>>>> standard installation of sles11 with the default reference policy
>>>>>>> from
>>>>>>>>> tresys.
>>>>>>>>>
>>>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>>>>> responsible
>>>>>>>>> for that:
>>>>>>>>> ## <desc>
>>>>>>>>> ## <p>
>>>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>>>>> ## </p>
>>>>>>>>> ## </desc>
>>>>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>>>>
>>>>>>>>> Any ideas?
>>>>>>>>
>>>>>>>> Do you have boolean init_upstart set to on? if not try setting it
>>>>>>>> to
>>>>>>> on.
>>>>>>>> I do not believe ssh_sysadm_login boolean works currently but i
>>>>>>>> may
>>>>>>>> be
>>>>>>>> mistaken.
>>>>>>
>>>>>> ssh_sysadm_login DOES actually work you just need to specify your
>>>>>> role
>>>>>> on
>>>>>> login...
>>>>>>
>>>>> I suppose to edit
>>>>> /etc/selinux/refpolicy/src/policy/config/local.users
>>>>> for
>>>>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
>>>>> policy. But after login the the context is still
>>>>> "user_u:user_r:user_t".
>>>>> the user should be able to change the role to sysadm_r:
>>>>> ----
>>>>> semanage user -l
>>>>> SELinux User    SELinux Roles
>>>>> mat_u           staff_r sysadm_r
>>>>> ----
>>>>> Doing it explicitly does not work either:
>>>>> ----
>>>>> newrole -r staff_r
>>>>> user_u:staff_r:staff_t is not a valid context
>>>>> ----
>>>>> Don't know why. Restricted by a special policy?
>>>>
>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> semanage login -l
>>>>
>>> - --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> What does
>>>
>>>> selinuxdefcon mat system_u:system_r:sshd_t:s0
>>>
>>> show
>>>> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0
>>> staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>
>> selinuxdefcon mat system_u:system_r:sshd_t
>> mat_u:staff_r:staff_t
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> So if you ssh to the box now you should end up with staff_t, which is
> what you want.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyjSvMACgkQrlYvE4MpobPptwCgtKIj2NFxTO4b4SMyRkb/qUS+
> 5PQAoNWjk3rIa9wqDonJ8s3+Bx8zrgy0
> =PHzl
> -----END PGP SIGNATURE-----
>
No, unfortunately not and thats the curious thing about that. I still end
up with user_r.

Please have a look at this:
----------------
root at localhost: ssh mat at stvlx05
Password: ********
mat at testsrv:~> id
uid=6575(mat) gid=100(users) groups=16(dialout),33(video),100(users)
context=user_u:user_r:user_t
mat at testsrv:~> sudo /usr/sbin/selinuxdefcon mat system_u:system_r:sshd_t
mat_u:staff_r:staff_tmat at testsrv:~>
-----------------
the user's role is user_r even it should be staff_r. !?!?

More information about the selinux mailing list