SSH issue : ssh_selinux_copy_context: setcon failed with Invalid argument

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When trying to perform an sftp operation we encounter a failure even in
permissive mode. The syslogs during the failure are as follows

Mar 18 23:43:45 den-ccm-pub authpriv 3 sshd: pam_selinux(sshd:session):
conversation failed
Mar 18 23:43:45 den-ccm-pub authpriv 4 sshd: pam_selinux(sshd:session): No
response to query: Would you like to enter a security context? [N]
Mar 18 23:43:45 den-ccm-pub authpriv 3 sshd: pam_selinux(sshd:session):
Unable to get valid context for sftpuser
Mar 18 23:43:45 den-ccm-pub authpriv 6 sshd: pam_unix(sshd:session):
session opened for user sftpuser by (uid=0)
Mar 18 23:43:45 den-ccm-pub authpriv 6 sshd: User child is on pid 5853
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_request_receive
entering
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: PAM: establishing
credentials
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: permanently_set_uid:
500/500
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: set_newkeys: mode 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: set_newkeys: mode 1
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: Entering interactive
session for SSH2.
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 4 setting
O_NONBLOCK
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 6 setting
O_NONBLOCK
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_init_dispatch_20
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: input_session_request
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: channel 0: new
[server-session]
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: session_new: allocate
(allocated 0 max 10)
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: session_unused:
session id 0 unused
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_new: session 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_open: channel
0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_open: session
0: link with channel 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_input_channel_open: confirm session
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_input_global_request: rtype no-more-sessions@xxxxxxxxxxx want_reply
0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: Wrote 52 bytes for a
total of 2801
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_input_channel_req: channel 0 request env reply 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_by_channel:
session 0 channel 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
session_input_channel_req: session 0 req env
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: Setting env 0:
LANG=en_US.UTF-8
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
server_input_channel_req: channel 0 request subsystem reply 1
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_by_channel:
session 0 channel 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1:
session_input_channel_req: session 0 req subsystem
Mar 18 23:43:45 den-ccm-pub authpriv 6 sshd: subsystem request for sftp
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: subsystem: exec()
internal-sftp
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_audit_run_command
entering command internal-sftp
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_request_send
entering: type 62
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3:
mm_request_receive_expect entering: type 63
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: monitor_read:
checking request 62
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3:
mm_answer_audit_command entering
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: session_new: allocate
(allocated 0 max 10)
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: session_unused:
session id 0 unused
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug1: session_new: session 0
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_request_send
entering: type 63
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_request_receive
entering
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: mm_request_receive
entering
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 3 setting
TCP_NODELAY
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 9 setting
O_NONBLOCK
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 8 setting
O_NONBLOCK
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: Copy environment:
SELINUX_ROLE_REQUESTED=
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug2: fd 11 setting
O_NONBLOCK
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: Copy environment:
SELINUX_LEVEL_REQUESTED=
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: Copy environment:
SELINUX_USE_CURRENT_RANGE=
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: channel 0: close_fds
r -1 w -1 e -1 c -1
Mar 18 23:43:45 den-ccm-pub authpriv 7 sshd: debug3: Wrote 88 bytes for a
total of 2889
Mar 18 23:43:45 den-ccm-pub authpriv 6 sshd: ssh_selinux_copy_context:
setcon failed with Invalid argument
Mar 18 23:43:45 den-ccm-pub authpriv 2 sshd: fatal: xfree: NULL pointer
given as argument


The OpenSSH version on the system is
openssh-clients-5.3p1-70.el6.x86_64
openssh-5.3p1-70.el6.x86_64
openssh-server-5.3p1-70.el6.x86_64



Here are the semanange login and user details

[root@den-ccm-sub1 remoteadmin]# semanage login -l

Login Name                SELinux User              MLS/MCS Range
  

__default__               unconfined_u              s0-s0:c0.c1023
  
administrator             admin_u                   s0-s0:c0.c1023
  
ccmservice                specialuser_u             s0
  
drfkeys                   specialuser_u             s0
  
drfuser                   specialuser_u             s0
  
informix                  specialuser_u             s0
  
pwrecovery                specialuser_u             s0
  
remoteadmin               remotesupport_u           s0-s0:c0.c1023
  
root                      unconfined_u              s0-s0:c0.c1023
  
sftpuser                  specialuser_u             s0
  
system_u                  system_u                  s0-s0:c0.c1023
  
[root@den-ccm-sub1 remoteadmin]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

admin_u         user       s0         s0-s0:c0.c1023
sysadm_r system_r
git_shell_u     user       s0         s0
git_shell_r
guest_u         user       s0         s0
guest_r
remotesupport_u user       s0         s0-s0:c0.c1023
sysadm_r system_r
root            user       s0         s0-s0:c0.c1023
sysadm_r system_r
specialuser_u   user       s0         s0
sysadm_r system_r
staff_u         user       s0         s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023
sysadm_r
system_u        user       s0         s0-s0:c0.c1023
system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023
system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0
xguest_r



Here is the sshd process context
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 5012  1  0 Mar18 ?
00:00:00 /usr/sbin/sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 30383 1  0 Mar18 ?
00:00:00 sshd: remoteadmin [priv]
system_u:system_r:sshd_t:s0-s0:c0.c1023 668 30448 30383  0 Mar18 ?
00:00:00 sshd: remoteadmin@pts/0

Is this a known issue?

Thanks,
Anamitra





--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux