467261 – Cannot ssh to machine - pam_selinux failures

Bug 467261 - Cannot ssh to machine - pam_selinux failures

Summary: Cannot ssh to machine - pam_selinux failures

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-16 15:47 UTC by Orion Poplawski
Modified:	2008-10-22 21:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-10-22 21:58:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2008-10-16 15:47:25 UTC

Description of problem:

Oct 16 09:38:56 localhost sshd[3086]: Accepted publickey for root from 192.168.0.8 port 47724 ssh2
Oct 16 09:38:56 localhost sshd[3086]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 16 09:38:56 localhost sshd[3086]: pam_selinux(sshd:session): Security context root:staff_r:insmod_t:s0-s0:c0.c1023 is not allowed for root:staff_r:insmod_t:s0-s0:c0.c1023
Oct 16 09:38:56 localhost sshd[3086]: pam_selinux(sshd:session): Unable to get valid context for root
Oct 16 09:38:56 localhost sshd[3086]: error: PAM: pam_open_session(): Authentication failure
Oct 16 09:38:56 localhost sshd[3086]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Oct 16 09:41:51 localhost sshd[3138]: Accepted publickey for orion from 192.168.0.72 port 49110 ssh2
Oct 16 09:41:51 localhost sshd[3138]: pam_unix(sshd:session): session opened for user orionby (uid=0)
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): conversation failed
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Oct 16 09:41:51 localhost sshd[3138]: pam_selinux(sshd:session): Unable to get valid context for orion
Oct 16 09:41:51 localhost sshd[3138]: error: PAM: pam_open_session(): Authentication failure
Oct 16 09:41:52 localhost sshd[3138]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Version-Release number of selected component (if applicable):
selinux-policy-3.5.12-2.fc10

No AVC messages.

Comment 1 Daniel Walsh 2008-10-16 20:01:21 UTC

What context was ssh running as?

When you login at the console what does id -Z show?

Comment 2 Orion Poplawski 2008-10-16 20:04:44 UTC

sshd is running as "root:staff_r:insmod_t:s0-s0:c0.c1023".

id -Z on VT2 reports the same.

Comment 3 Orion Poplawski 2008-10-16 20:39:48 UTC

I installed selinux-policy-3.5.12-3.fc10.noarch and did a relabel (touch /.autorelabel) and now things are working.  Lots of things did not seem labeled properly.  I'll do another install tomorrow to make sure anaconda is getting things labeled correctly.

sshd is now running as system_u:system_r:sshd_t:s0-s0:c0.c1023

id -Z reports root:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 4 John Poelstra 2008-10-22 21:03:59 UTC

Is this still a problem or should this bug be closed?

Thank you.

Comment 5 Orion Poplawski 2008-10-22 21:58:22 UTC

Seems to be okay on a fresh install.

Note You need to log in before you can comment on or make changes to this bug.