error: ssh_selinux_getctxbyname: Failed to get default SELinux security context
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 29 14:40:41 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/29/2010 10:36 AM, imsand at puzzle.ch wrote:
> On 09/29/2010 09:33 AM, imsand at puzzle.ch wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 09/29/2010 08:23 AM, Daniel J Walsh wrote:
>>>>>> On 09/29/2010 03:26 AM, imsand at puzzle.ch wrote:
>>>>>>>> On Tue, Sep 28, 2010 at 03:51:11PM +0200, imsand at puzzle.ch wrote:
>>>>>>>>>> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand at puzzle.ch wrote:
>>>>>>>>>>>> On 28/09/10 08:24, imsand at puzzle.ch wrote:
>>>>>>>>>>>>> Hello
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get the following error when I try to log in through ssh
>>>>>>>>>>>>> (even
>>>>>>>>> if
>>>>>>>>>>>>> selinux is in permissive mode!!!):
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>>>>>>>>>>>>> keyboard-interactive/pam for mat from 131.102.233.127 port
>>>>>>>>>>>>> 58912
>>>>>>>>> ssh2
>>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>>>>>>>>>>> type=1400
>>>>>>>>>>>>> audit(1285657292.298:286): avc: denied { audit_control } for
>>>>>>>>>>>>> pid=12614
>>>>>>>>>>>>> comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t
>>>>>>>>>>>>> tcontext=system_u:system_r:sysadm_t tclass=capability
>>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>>>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux
>>>>>>>>>>>>> security
>>>>>>>>>>> context
>>>>>>>>>>>>> for mat
>>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>>>>> ssh_selinux_getctxbyname: Failed to get default SELinux
>>>>>>>>>>>>> security
>>>>>>>>>>> context
>>>>>>>>>>>>> for mat
>>>>>>>>>>>>> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>>>>>>>>>>>>> ssh_selinux_setup_pty:
>>>>>>>>>>>>> security_compute_relabel: Invalid argument
>>>>>>>>>>>>>
>>>>>>>>>>>>> I already went through this post:
>>>>>>>>>>>>> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml
>>>>>>>>> but
>>>>>>>>>>> I
>>>>>>>>>>>>> can't figure out the exact problem.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is what I've done so far:
>>>>>>>>>>>>> - Downloaded the latest reference policy from tresys:
>>>>>>>>>>>>> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>>>>>>>>>>>>> - Compiled and installed it on my sles 11.1
>>>>>>>>>>>>> - set selinux into permissive mode: (so far so good.. :))
>>>>>>>>>>>>> sestatus
>>>>>>>>>>>>> SELinux status: enabled
>>>>>>>>>>>>> SELinuxfs mount: /selinux
>>>>>>>>>>>>> Current mode: permissive
>>>>>>>>>>>>> Mode from config file: permissive
>>>>>>>>>>>>> Policy version: 24
>>>>>>>>>>>>> Policy from config file: refpolicy
>>>>>>>>>>>>> - Add selinux user "mat_u": semanage user -R "staff_r system_r"
>>>>>>>>>>>>> -P
>>>>>>>>>>> user
>>>>>>>>>>>>> -a
>>>>>>>>>>>>> mat_u
>>>>>>>>>>>>> - Add linux user " mat": useradd mat
>>>>>>>>>>>>> - Set password for "mat": passwd mat
>>>>>>>>>>>>> - User mapping: semanage login -s mat_u -a mat
>>>>>>>>>>>>> - add security context for "mat_u" by copying staff_u's context
>>>>>>>>>>> (don't
>>>>>>>>>>>>> know if that's needed??!): cp
>>>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/staff_u
>>>>>>>>>>>>> /etc/selinux/refpolicy/contexts/user/mat_u
>>>>>>>>>>>>> - set boolean for sysadm ssh login to true (don't know if thats
>>>>>>>>>>>>> needed?!):
>>>>>>>>>>>>> setsebool ssh_sysadm_login on
>>>>>>>>>>>>>
>>>>>>>>>>>>> In other posts I've read something about sepermit.conf and
>>>>>>>>>>>>> namespace.conf
>>>>>>>>>>>>> but these files don't exist on my system. What about these
>>>>>>>>>>>>> files?
>>>>>>>>> Do
>>>>>>>>>>> I
>>>>>>>>>>>>> need them?
>>>>>>>>>>>>> What's wrong on my system?
>>>>>>>>>>>>> Why it's not possible to login even if selinux is in permissive
>>>>>>>>> mode?
>>>>>>>>>>>>> Any suggestions?
>>>>>>>>>>>>
>>>>>>>>>>>> I'd start by trying to figure out why sshd isn't running in
>>>>>>>>>>>> sshd_t
>>>>>>>>> (it
>>>>>>>>>>>> seems to be running in sysadm_t).
>>>>>>>>>>>>
>>>>>>>>>>>> Paul.
>>>>>>>>>>>> --
>>>>>>>>>>>> selinux mailing list
>>>>>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Yes, sshd is running in sysadm_t:
>>>>>>>>>>>
>>>>>>>>>>> # ps axZ | grep sshd
>>>>>>>>>>> system_u:system_r:sysadm_t 3632 ? Ss 0:00
>>>>>>>>>>> /usr/sbin/sshd
>>>>>>>>>>> -o PidFile=/var/run/sshd.init.pi
>>>>>>>>>>>
>>>>>>>>>>> # ls -Z /usr/sbin/sshd
>>>>>>>>>>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>>>>>>>>>>
>>>>>>>>>>> Don't know why it's not sshd_t. I didn't modified something. It's
>>>>>>>>>>> a
>>>>>>>>>>> standard installation of sles11 with the default reference policy
>>>>>>>>> from
>>>>>>>>>>> tresys.
>>>>>>>>>>>
>>>>>>>>>>> Maybe this code snippet from policy/modules/services/ssh.te is
>>>>>>>>>>> responsible
>>>>>>>>>>> for that:
>>>>>>>>>>> ## <desc>
>>>>>>>>>>> ## <p>
>>>>>>>>>>> ## Allow ssh logins as sysadm_r:sysadm_t
>>>>>>>>>>> ## </p>
>>>>>>>>>>> ## </desc>
>>>>>>>>>>> gen_tunable(ssh_sysadm_login, true)
>>>>>>>>>>>
>>>>>>>>>>> Any ideas?
>>>>>>>>>>
>>>>>>>>>> Do you have boolean init_upstart set to on? if not try setting it
>>>>>>>>>> to
>>>>>>>>> on.
>>>>>>>>>> I do not believe ssh_sysadm_login boolean works currently but i
>>>>>>>>>> may
>>>>>>>>>> be
>>>>>>>>>> mistaken.
>>>>>>>>
>>>>>>>> ssh_sysadm_login DOES actually work you just need to specify your
>>>>>>>> role
>>>>>>>> on
>>>>>>>> login...
>>>>>>>>
>>>>>>> I suppose to edit
>>>>>>> /etc/selinux/refpolicy/src/policy/config/local.users
>>>>>>> for
>>>>>>> doing so!? I added "user mat roles { sysadm_r };" rebuild & load the
>>>>>>> policy. But after login the the context is still
>>>>>>> "user_u:user_r:user_t".
>>>>>>> the user should be able to change the role to sysadm_r:
>>>>>>> ----
>>>>>>> semanage user -l
>>>>>>> SELinux User SELinux Roles
>>>>>>> mat_u staff_r sysadm_r
>>>>>>> ----
>>>>>>> Doing it explicitly does not work either:
>>>>>>> ----
>>>>>>> newrole -r staff_r
>>>>>>> user_u:staff_r:staff_t is not a valid context
>>>>>>> ----
>>>>>>> Don't know why. Restricted by a special policy?
>>>>>>
>>>>>>
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>> semanage login -l
>>>>>>
>>>>> - --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>> What does
>>>>>
>>>>>> selinuxdefcon mat system_u:system_r:sshd_t:s0
>>>>>
>>>>> show
>>>>>> selinuxdefcon dwalsh system_u:system_r:sshd_t:s0
>>>>> staff_u:staff_r:staff_t:s0-s0:c0.c1023
>>>>
>>>> selinuxdefcon mat system_u:system_r:sshd_t
>>>> mat_u:staff_r:staff_t
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
> So if you ssh to the box now you should end up with staff_t, which is
> what you want.
>>
> No, unfortunately not and thats the curious thing about that. I still end
> up with user_r.
> Please have a look at this:
> ----------------
> root at localhost: ssh mat at stvlx05
> Password: ********
> mat at testsrv:~> id
> uid=6575(mat) gid=100(users) groups=16(dialout),33(video),100(users)
> context=user_u:user_r:user_t
> mat at testsrv:~> sudo /usr/sbin/selinuxdefcon mat system_u:system_r:sshd_t
> mat_u:staff_r:staff_tmat at testsrv:~>
> -----------------
> the user's role is user_r even it should be staff_r. !?!?
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
What context is sshd running as?
ps -eZ | grep sshd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyjT+gACgkQrlYvE4MpobM9ZgCfcmJfCXiykpIBG5j7r43T/+rn
2DoAn1Q45xh7mZ528nZFR3Pcw33ws/K8
=C5nQ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list