Re: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 28, 2010 at 09:24:09AM +0200, imsand@xxxxxxxxx wrote:
> Hello
> 
> I get the following error when I try to log in through ssh (even if
> selinux is in permissive mode!!!):
> 
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
> audit(1285657292.298:286): avc:  denied  { audit_control } for  pid=12614
> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
> tcontext=system_u:system_r:sysadm_t tclass=capability
> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> for mat
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> for mat
> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
> 
> I already went through this post:
> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
> can't figure out the exact problem.
> 
> Here is what I've done so far:
> - Downloaded the latest reference policy from tresys:
> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
> - Compiled and installed it on my sles 11.1
> - set selinux into permissive mode: (so far so good.. :))
> sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        refpolicy
> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user -a
> mat_u
> - Add linux user " mat": useradd mat
> - Set password for "mat": passwd mat
> - User mapping: semanage login -s mat_u -a mat
> - add security context for "mat_u" by copying staff_u's context (don't
> know if that's needed??!): cp /etc/selinux/refpolicy/contexts/user/staff_u
> /etc/selinux/refpolicy/contexts/user/mat_u
> - set boolean for sysadm ssh login to true (don't know if thats needed?!):
> setsebool ssh_sysadm_login on
> 
> In other posts I've read something about sepermit.conf and namespace.conf
> but these files don't exist on my system. What about these files? Do I
> need them?
> What's wrong on my system?

here is how it should work:

semanage user -a -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r sysadm_r" -P user mat_u
useradd mat
passwd mat
echo "mat ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" > /etc/sudoers.d/mat
chmod 0440 /etc/sudoers.d/mat
cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/mat_u
semanage login -a -s mat_u -r s0-s0:c0.c1023 mat


> Why it's not possible to login even if selinux is in permissive mode?
> Any suggestions?
> 
> thanks in advance
> Matthias
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: pgpucVRwkD1li.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux