Bug 467261 - Cannot ssh to machine - pam_selinux failures
Cannot ssh to machine - pam_selinux failures
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-16 11:47 EDT by Orion Poplawski
Modified: 2008-10-22 17:58 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-22 17:58:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-10-16 11:47:25 EDT
Description of problem:

Oct 16 09:38:56 localhost sshd[3086]: Accepted publickey for root from 192.168.0.8 port 47724 ssh2
Oct 16 09:38:56 localhost sshd[3086]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 16 09:38:56 localhost sshd[3086]: pam_selinux(sshd:session): Security context root:staff_r:insmod_t:s0-s0:c0.c1023 is not allowed for root:staff_r:insmod_t:s0-s0:c0.c1023
Oct 16 09:38:56 localhost sshd[3086]: pam_selinux(sshd:session): Unable to get valid context for root
Oct 16 09:38:56 localhost sshd[3086]: error: PAM: pam_open_session(): Authentication failure
Oct 16 09:38:56 localhost sshd[3086]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Oct 16 09:41:51 localhost sshd[3138]: Accepted publickey for orion from 192.168.0.72 port 49110 ssh2
Oct 16 09:41:51 localhost sshd[3138]: pam_unix(sshd:session): session opened for user orionby (uid=0)
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): conversation failed
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): Unable to get valid context for orion
Oct 16 09:41:51 localhost sshd[3138]: error: PAM: pam_open_session(): Authentication failure
Oct 16 09:41:52 localhost sshd[3138]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Version-Release number of selected component (if applicable):
selinux-policy-3.5.12-2.fc10

No AVC messages.
Comment 1 Daniel Walsh 2008-10-16 16:01:21 EDT
What context was ssh running as?

When you login at the console what does id -Z show?
Comment 2 Orion Poplawski 2008-10-16 16:04:44 EDT
sshd is running as "root:staff_r:insmod_t:s0-s0:c0.c1023".

id -Z on VT2 reports the same.
Comment 3 Orion Poplawski 2008-10-16 16:39:48 EDT
I installed selinux-policy-3.5.12-3.fc10.noarch and did a relabel (touch /.autorelabel) and now things are working.  Lots of things did not seem labeled properly.  I'll do another install tomorrow to make sure anaconda is getting things labeled correctly.

sshd is now running as system_u:system_r:sshd_t:s0-s0:c0.c1023

id -Z reports root:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 4 John Poelstra 2008-10-22 17:03:59 EDT
Is this still a problem or should this bug be closed?

Thank you.
Comment 5 Orion Poplawski 2008-10-22 17:58:22 EDT
Seems to be okay on a fresh install.

Note You need to log in before you can comment on or make changes to this bug.