Description of problem: Attemping to create an unpriviledged user who can ssh out apparently happens without incident, but on attempting to log into the user via ssh, the message Unable to get valid context for username is displayed, and the user is immediately logged out. Version-Release number of selected component (if applicable): 3.3.1.r69.fc9 How reproducible: Has occurred on at least two systems, and on my local system with both simple example shown here and a more complex one generated with the polgengui. Steps to Reproduce: 1. create the te file in the attachment 2 [details]. make -f /usr/share/selinux/devel/Makefile 3. semodule -i sshout.pp 4. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R sshout_r -P user sshout_u 5. /usr/sbin/useradd -Z sshout_u test 6. ssh test@localhost Actual results: ssh displays the message: Unable to get valid context for test Last login: Mon Jun 30 15:32:10 2008 from localhost.localdomain Connection to localhost closed. and /var/log/secure shows: Jun 30 15:32:10 hostname sshd[2915]: Accepted password for test from 127.0.0.1 port 50065 ssh2 Jun 30 15:32:10 hostname sshd[2915]: pam_unix(sshd:session): session opened for user sanjay by (uid=0) Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Security context sshout_u:sshout_r:oddjob_mkhomedir_t:s0 is not allowed for sshout_u:sshout_r:oddjob_mkhomedir_t:s0 Jun 30 15:32:10 hostname sshd[2915]: pam_selinux(sshd:session): Unable to get valid context for test Jun 30 15:32:10 hostname sshd[2915]: error: PAM: pam_open_session(): Authentication failure Jun 30 15:32:10 hostname sshd[2915]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument Expected results: The user could be logged into remotely, and would then function as an under-priviledged account which could ssh out.
Created attachment 310592 [details] example policy file to reproduce bug (written by domg472)
The problem is that you do not have optional_policy(` oddjob_run_mkhomedir(sshout_t, sshout_r, { sshout_devpts_t sshout_tty_device_t }) ') Which allows the mkhomedir program to be run at login by the user. It is expected that the homedir was pre-created for the least priv user. You can argue that this should be allowed ...
No never mind, this is wrong. The problem I believe is you do not have a file /etc/selinux/targeted/contexts/users/sshout_u You can base it off of /etc/selinux/targeted/contexts/users/guest_u
Yes, that did indeed fix the problem. Thank you!