Bug 521087
| Summary: | failure of get_default_context_with_level(3) causes several curl tests to be skipped | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Dudka <kdudka> | ||||||
| Component: | openssh | Assignee: | Jan F. Chadima <jchadima> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 11 | CC: | jchadima, mgrepl, tmraz | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-09-04 06:57:17 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
That seems like either problem directly in the curl test but even more probably something wrong with your testing environment. Any idea how to change the testing environment to make the test suite happy? Do you know why get_default_context_with_level() is called by sshd? Which arguments does it expect to not fail? Any chance to get over the failure e.g. by use of chcon/runcon? Created attachment 359710 [details]
curl_sftp_config
To exclude curl test-suite bug, here is a minimal example:
sshd -e -D -f curl_sshd_config \
& sleep 1 \
&& sftp -b curl_sftp_cmds -F curl_sftp_config -S /usr/bin/ssh 127.0.0.1
You cannot run sshd directly this way without not breaking SELinux. You have to run SELinux either in permissive mode or you have run the sshd in the domain system_r:sshd_t. You can try creating runsshd script with: #!/bin/bash /usr/sbin/sshd -e -D -f curl_sshd_config chcon the runsshd script to initrc_exec_t. And run it as runcon -r system_r -t initrc_t ./runsshd It should automatically transition the sshd to sshd_t. Thanks! This works. I only needed to chcon log/sshd.log to initrc_exec_t as well to be writable by the SSH server. I'd suggest to use sshd_var_run_t for the sshd.log as the initrc_exec_t might not be writable by sshd_t in future. |
Created attachment 359693 [details] sshd_config Description of problem: debug1: SELinux support enabled ssh_selinux_getctxbyname: Failed to get default SELinux security context for xdudka00 Error sending audit message. ssh_selinux_setup_exec_context: SELinux failure. Aborting connection. Version-Release number of selected component (if applicable): openssh-server-5.2p1-2.fc11 How reproducible: Always when SELinux is set to enforcing mode. Steps to Reproduce: 1. build F-11 curl 2. cd curl-7.19.6/tests 3. ./runtests.pl 603 Actual results: (gdb) n 258 if (r == 0) { (gdb) 260 r = get_default_context_with_level(sename, lvl, NULL, default_sc); (gdb) n 266 if (r == 0) { (gdb) n 308 if (r != 0) { (gdb) n 309 error("%s: Failed to get default SELinux security " (gdb) print lvl $1 = 0x7f60d2b44a50 "s0-s0:c0.c1023" (gdb) print sename $2 = 0x7f60d2b3ccb0 "unconfined_u" (gdb) print default_sc $3 = (security_context_t *) 0x7fffaba2b808 (gdb) f #0 ssh_selinux_getctxbyname (pwname=0x7f60d2b3d030 "xdudka00", default_sc=0x7fffaba2b808, user_sc=0x7fffaba2b800) at port-linux.c:309 309 error("%s: Failed to get default SELinux security " (gdb) print r $4 = -1 (gdb) print *default_sc $5 = (security_context_t) 0x0 Additional info: I am able to pass over this with the following patch even in the enforcing SELinux mode: --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -406,7 +406,7 @@ ssh_selinux_setup_exec_context(char *pwname) send_audit_message(r >= 0, default_ctx, user_ctx); } if (r < 0) { - switch (security_getenforce()) { + switch (0/*security_getenforce()*/) { case -1: fatal("%s: security_getenforce() failed", __func__); case 0: