-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2011 12:59 PM, Richard W.M. Jones wrote: > On Sun, Jun 19, 2011 at 06:42:34PM +0200, Jim Meyering wrote: >> Richard W.M. Jones wrote: >>> Anyone seeing this error? Unless I boot with enforcing=0, I see >>> this error when I try to log in as any user: >>> >>> Unable to get valid context for <username> >>> >>> It seems like it's just started happening, since I upgraded something >>> within the last 1-2 weeks. >> >> Hi Rich, >> >> I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-) >> and don't see any problem when logging in via ssh: >> >> h$ ssh r date >> Sun Jun 19 18:34:32 CEST 2011 >> h$ ssh r >> Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1 >> r$ : >> >> Everything is up to date, at least wrt whatever mirror I'm using. >> My shell on that system is zsh; but I got the same result when >> temporarily switching it to bash. > > I was still seeing it, even after just updating everything and > rebooting the VM: > > $ ssh 192.168.122.151 > Unable to get valid context for rjones > Last login: Sun Jun 19 17:46:29 2011 from 192.168.122.1 > Connection to 192.168.122.151 closed. > > However I then touched /.autorelabel using guestfish: > > # guestfish -i --rw -d FedoraRawhidex64 touch /.autorelabel > > (it turns out I've written about this before, but had forgotten, see > https://rwmj.wordpress.com/2010/01/06/tip-autorelabel-a-vm/). > > And that fixed it! However I don't know why ... > > Rich. > If a login program says "Unable to get valid context for <username>" it almost certainly means the login program is running with the wrong context. The login program asks SELinux what is the context to assign to <username> when it logs in. This means sshd should ask what context should sshd_t login dwalsh. But if sshd is running with the wrong context (almost assuredly caused by a labeling problem.) the kernel/libselinux will return an error, and the login program will ask the user. For example sshd running as initrc_t or kernel_t would get an error. Usually a relabel will clean up the error. If you see this and can get a login shell run "ps -eZ | grep sshd" to see what context the login program is running as. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3/KW0ACgkQrlYvE4MpobNk6ACdH8T3T7EV7vOx9hsyG//WdtWl BCUAnRkXrX9ozj8Y8TOeLGuG8+kPohpF =zEu8 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
