Bug 447943 - Detection of SELinux enforcing mode is broken in sshd
Detection of SELinux enforcing mode is broken in sshd
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
9
All Linux
high Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-22 11:31 EDT by Bryan O'Sullivan
Modified: 2008-10-17 04:16 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-17 04:16:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output of sshd -Dde (3.44 KB, text/plain)
2008-05-22 12:16 EDT, Bryan O'Sullivan
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 1325 None None None Never

  None (edit)
Description Bryan O'Sullivan 2008-05-22 11:31:04 EDT
This is a known-fixed upstream bug that is affecting Fedora 9.  Fedora 8 and
earlier do not seem to be affected.

https://bugzilla.mindrot.org/show_bug.cgi?id=1325

The symptom is that if SELinux is running in permissive mode, it's often not
possible to log in via ssh.
Comment 1 Tomas Mraz 2008-05-22 11:50:20 EDT
It should not affect Fedora 9 because the SELinux support was mostly replaced a
few Fedora releases ago. If you have some problems with SELinux and OpenSSH in
Fedora 9 it is a different problem. Please provide debug logs from the server.
Comment 2 Bryan O'Sullivan 2008-05-22 12:16:44 EDT
Created attachment 306395 [details]
output of sshd -Dde

Here's an example server log.
Comment 3 Tomas Mraz 2008-05-23 13:42:54 EDT
As you can see from the log, the actual failure is in the setresuid call - it
seems that the uid 1000 exceeded the limit of number of processes. Perhaps you
have something wrong in /etc/security/limits.conf or limits.d?

ssh_selinux_getctxbyname: Failed to get default SELinux security context for bos
ssh_selinux_setup_exec_context: SELinux failure. Continuing in permissive mode.

Also it is true that these messages should not be there, perhaps there is
something wrong with your SELinux policy? What prints 'semanage -l login' and
'semanage -l user'?

Comment 4 Bryan O'Sullivan 2008-05-23 13:54:38 EDT
I've disabled SELinux entirely, which solves the problem in the usual way.

However, I never modified any of my security settings, so whatever was in
/etc/security was provided by Fedora, not me.  This was a completely clean
Fedora 9 install from scratch onto a new drive.  You should be able to find the
same settings as I have in the original stock RPMs.
Comment 5 Tomas Mraz 2008-05-23 14:28:23 EDT
Have you upgraded the system recently? Do you have fresh selinux-policy-targeted
installed?

There is a soft limit of maximum 1024 processes per user is it possible that you
could have so many processes running?
Comment 6 Bryan O'Sullivan 2008-05-23 14:34:50 EDT
I have this: selinux-policy-targeted-3.3.1-51.fc9.noarch

Regarding processes, the machine is mostly idle.  I currently have 59 processes
running, and that's unusually high because I'm logged in at the console.
Comment 7 Tomas Mraz 2008-06-03 11:21:45 EDT
Can you still reproduce the problem with the latest selinux-policy from
updates-testing?

Unfortunately I was not able to reproduce the problem here.
Comment 8 Tomas Mraz 2008-10-17 04:16:52 EDT
I cannot reproduce the problem -> no fix.

Note You need to log in before you can comment on or make changes to this bug.