> On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand@xxxxxxxxx wrote:
>> > On 28/09/10 08:24, imsand@xxxxxxxxx wrote:
>> >> Hello
>> >>
>> >> I get the following error when I try to log in through ssh (even if
>> >> selinux is in permissive mode!!!):
>> >>
>> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
>> >> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
>> >> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750]
>> type=1400
>> >> audit(1285657292.298:286): avc: denied { audit_control } for
>> >> pid=12614
>> >> comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t
>> >> tcontext=system_u:system_r:sysadm_t tclass=capability
>> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
>> >> ssh_selinux_getctxbyname: Failed to get default SELinux security
>> context
>> >> for mat
>> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> >> ssh_selinux_getctxbyname: Failed to get default SELinux security
>> context
>> >> for mat
>> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
>> >> ssh_selinux_setup_pty:
>> >> security_compute_relabel: Invalid argument
>> >>
>> >> I already went through this post:
>> >> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but
>> I
>> >> can't figure out the exact problem.
>> >>
>> >> Here is what I've done so far:
>> >> - Downloaded the latest reference policy from tresys:
>> >> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
>> >> - Compiled and installed it on my sles 11.1
>> >> - set selinux into permissive mode: (so far so good.. :))
>> >> sestatus
>> >> SELinux status: enabled
>> >> SELinuxfs mount: /selinux
>> >> Current mode: permissive
>> >> Mode from config file: permissive
>> >> Policy version: 24
>> >> Policy from config file: refpolicy
>> >> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P
>> user
>> >> -a
>> >> mat_u
>> >> - Add linux user " mat": useradd mat
>> >> - Set password for "mat": passwd mat
>> >> - User mapping: semanage login -s mat_u -a mat
>> >> - add security context for "mat_u" by copying staff_u's context
>> (don't
>> >> know if that's needed??!): cp
>> >> /etc/selinux/refpolicy/contexts/user/staff_u
>> >> /etc/selinux/refpolicy/contexts/user/mat_u
>> >> - set boolean for sysadm ssh login to true (don't know if thats
>> >> needed?!):
>> >> setsebool ssh_sysadm_login on
>> >>
>> >> In other posts I've read something about sepermit.conf and
>> >> namespace.conf
>> >> but these files don't exist on my system. What about these files? Do
>> I
>> >> need them?
>> >> What's wrong on my system?
>> >> Why it's not possible to login even if selinux is in permissive mode?
>> >> Any suggestions?
>> >
>> > I'd start by trying to figure out why sshd isn't running in sshd_t (it
>> > seems to be running in sysadm_t).
>> >
>> > Paul.
>> > --
>> > selinux mailing list
>> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>>
>> Yes, sshd is running in sysadm_t:
>>
>> # ps axZ | grep sshd
>> system_u:system_r:sysadm_t 3632 ? Ss 0:00
>> /usr/sbin/sshd
>> -o PidFile=/var/run/sshd.init.pi
>>
>> # ls -Z /usr/sbin/sshd
>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>
>> Don't know why it's not sshd_t. I didn't modified something. It's a
>> standard installation of sles11 with the default reference policy from
>> tresys.
>>
>> Maybe this code snippet from policy/modules/services/ssh.te is
>> responsible
>> for that:
>> ## <desc>
>> ## <p>
>> ## Allow ssh logins as sysadm_r:sysadm_t
>> ## </p>
>> ## </desc>
>> gen_tunable(ssh_sysadm_login, true)
>>
>> Any ideas?
>
> Do you have boolean init_upstart set to on? if not try setting it to on.
> I do not believe ssh_sysadm_login boolean works currently but i may be
> mistaken.
>>
>> --
Yeah, setting init_upstart to on did the trick! THANK A LOT!
Do you know why this prevents the user from logging in through ssh even if
selinux is set to permissive??
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
