Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Detection of SELinux enforcing mode is broken in sshd|
|Product:||[Fedora] Fedora||Reporter:||Bryan O'Sullivan <bos>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED CANTFIX||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-10-17 04:16:52 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Bryan O'Sullivan 2008-05-22 11:31:04 EDT
This is a known-fixed upstream bug that is affecting Fedora 9. Fedora 8 and earlier do not seem to be affected. https://bugzilla.mindrot.org/show_bug.cgi?id=1325 The symptom is that if SELinux is running in permissive mode, it's often not possible to log in via ssh.
Comment 1 Tomas Mraz 2008-05-22 11:50:20 EDT
It should not affect Fedora 9 because the SELinux support was mostly replaced a few Fedora releases ago. If you have some problems with SELinux and OpenSSH in Fedora 9 it is a different problem. Please provide debug logs from the server.
Comment 2 Bryan O'Sullivan 2008-05-22 12:16:44 EDT
Created attachment 306395 [details] output of sshd -Dde Here's an example server log.
Comment 3 Tomas Mraz 2008-05-23 13:42:54 EDT
As you can see from the log, the actual failure is in the setresuid call - it seems that the uid 1000 exceeded the limit of number of processes. Perhaps you have something wrong in /etc/security/limits.conf or limits.d? ssh_selinux_getctxbyname: Failed to get default SELinux security context for bos ssh_selinux_setup_exec_context: SELinux failure. Continuing in permissive mode. Also it is true that these messages should not be there, perhaps there is something wrong with your SELinux policy? What prints 'semanage -l login' and 'semanage -l user'?
Comment 4 Bryan O'Sullivan 2008-05-23 13:54:38 EDT
I've disabled SELinux entirely, which solves the problem in the usual way. However, I never modified any of my security settings, so whatever was in /etc/security was provided by Fedora, not me. This was a completely clean Fedora 9 install from scratch onto a new drive. You should be able to find the same settings as I have in the original stock RPMs.
Comment 5 Tomas Mraz 2008-05-23 14:28:23 EDT
Have you upgraded the system recently? Do you have fresh selinux-policy-targeted installed? There is a soft limit of maximum 1024 processes per user is it possible that you could have so many processes running?
Comment 6 Bryan O'Sullivan 2008-05-23 14:34:50 EDT
I have this: selinux-policy-targeted-3.3.1-51.fc9.noarch Regarding processes, the machine is mostly idle. I currently have 59 processes running, and that's unusually high because I'm logged in at the console.
Comment 7 Tomas Mraz 2008-06-03 11:21:45 EDT
Can you still reproduce the problem with the latest selinux-policy from updates-testing? Unfortunately I was not able to reproduce the problem here.
Comment 8 Tomas Mraz 2008-10-17 04:16:52 EDT
I cannot reproduce the problem -> no fix.