Bug 447943 - Detection of SELinux enforcing mode is broken in sshd
Summary: Detection of SELinux enforcing mode is broken in sshd
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 9
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-22 15:31 UTC by Bryan O'Sullivan
Modified: 2008-10-17 08:16 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-10-17 08:16:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
output of sshd -Dde (3.44 KB, text/plain)
2008-05-22 16:16 UTC, Bryan O'Sullivan 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 1325 0 None None None Never

Description Bryan O'Sullivan 2008-05-22 15:31:04 UTC 
This is a known-fixed upstream bug that is affecting Fedora 9.  Fedora 8 and
earlier do not seem to be affected.

https://bugzilla.mindrot.org/show_bug.cgi?id=1325

The symptom is that if SELinux is running in permissive mode, it's often not
possible to log in via ssh.
Comment 1 Tomas Mraz 2008-05-22 15:50:20 UTC 
It should not affect Fedora 9 because the SELinux support was mostly replaced a
few Fedora releases ago. If you have some problems with SELinux and OpenSSH in
Fedora 9 it is a different problem. Please provide debug logs from the server.
Comment 2 Bryan O'Sullivan 2008-05-22 16:16:44 UTC 
Created attachment 306395 [details]
output of sshd -Dde

Here's an example server log.
Comment 3 Tomas Mraz 2008-05-23 17:42:54 UTC 
As you can see from the log, the actual failure is in the setresuid call - it
seems that the uid 1000 exceeded the limit of number of processes. Perhaps you
have something wrong in /etc/security/limits.conf or limits.d?

ssh_selinux_getctxbyname: Failed to get default SELinux security context for bos
ssh_selinux_setup_exec_context: SELinux failure. Continuing in permissive mode.

Also it is true that these messages should not be there, perhaps there is
something wrong with your SELinux policy? What prints 'semanage -l login' and
'semanage -l user'?
Comment 4 Bryan O'Sullivan 2008-05-23 17:54:38 UTC 
I've disabled SELinux entirely, which solves the problem in the usual way.

However, I never modified any of my security settings, so whatever was in
/etc/security was provided by Fedora, not me.  This was a completely clean
Fedora 9 install from scratch onto a new drive.  You should be able to find the
same settings as I have in the original stock RPMs.
Comment 5 Tomas Mraz 2008-05-23 18:28:23 UTC 
Have you upgraded the system recently? Do you have fresh selinux-policy-targeted
installed?

There is a soft limit of maximum 1024 processes per user is it possible that you
could have so many processes running?
Comment 6 Bryan O'Sullivan 2008-05-23 18:34:50 UTC 
I have this: selinux-policy-targeted-3.3.1-51.fc9.noarch

Regarding processes, the machine is mostly idle.  I currently have 59 processes
running, and that's unusually high because I'm logged in at the console.
Comment 7 Tomas Mraz 2008-06-03 15:21:45 UTC 
Can you still reproduce the problem with the latest selinux-policy from
updates-testing?

Unfortunately I was not able to reproduce the problem here.
Comment 8 Tomas Mraz 2008-10-17 08:16:52 UTC 
I cannot reproduce the problem -> no fix.
Note You need to log in before you can comment on or make changes to this bug.