Bug 447943

Summary: Detection of SELinux enforcing mode is broken in sshd
Product: [Fedora] Fedora Reporter: Bryan O'Sullivan <bos>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-17 08:16:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of sshd -Dde none

Description Bryan O'Sullivan 2008-05-22 15:31:04 UTC 
This is a known-fixed upstream bug that is affecting Fedora 9.  Fedora 8 and
earlier do not seem to be affected.

https://bugzilla.mindrot.org/show_bug.cgi?id=1325

The symptom is that if SELinux is running in permissive mode, it's often not
possible to log in via ssh.
Comment 1 Tomas Mraz 2008-05-22 15:50:20 UTC 
It should not affect Fedora 9 because the SELinux support was mostly replaced a
few Fedora releases ago. If you have some problems with SELinux and OpenSSH in
Fedora 9 it is a different problem. Please provide debug logs from the server.
Comment 2 Bryan O'Sullivan 2008-05-22 16:16:44 UTC 
Created attachment 306395 [details]
output of sshd -Dde

Here's an example server log.
Comment 3 Tomas Mraz 2008-05-23 17:42:54 UTC 
As you can see from the log, the actual failure is in the setresuid call - it
seems that the uid 1000 exceeded the limit of number of processes. Perhaps you
have something wrong in /etc/security/limits.conf or limits.d?

ssh_selinux_getctxbyname: Failed to get default SELinux security context for bos
ssh_selinux_setup_exec_context: SELinux failure. Continuing in permissive mode.

Also it is true that these messages should not be there, perhaps there is
something wrong with your SELinux policy? What prints 'semanage -l login' and
'semanage -l user'?
Comment 4 Bryan O'Sullivan 2008-05-23 17:54:38 UTC 
I've disabled SELinux entirely, which solves the problem in the usual way.

However, I never modified any of my security settings, so whatever was in
/etc/security was provided by Fedora, not me.  This was a completely clean
Fedora 9 install from scratch onto a new drive.  You should be able to find the
same settings as I have in the original stock RPMs.
Comment 5 Tomas Mraz 2008-05-23 18:28:23 UTC 
Have you upgraded the system recently? Do you have fresh selinux-policy-targeted
installed?

There is a soft limit of maximum 1024 processes per user is it possible that you
could have so many processes running?
Comment 6 Bryan O'Sullivan 2008-05-23 18:34:50 UTC 
I have this: selinux-policy-targeted-3.3.1-51.fc9.noarch

Regarding processes, the machine is mostly idle.  I currently have 59 processes
running, and that's unusually high because I'm logged in at the console.
Comment 7 Tomas Mraz 2008-06-03 15:21:45 UTC 
Can you still reproduce the problem with the latest selinux-policy from
updates-testing?

Unfortunately I was not able to reproduce the problem here.
Comment 8 Tomas Mraz 2008-10-17 08:16:52 UTC 
I cannot reproduce the problem -> no fix.