Created attachment 541378 [details] Updated ssh.fc with gsi-openssh files added Description of problem: gsi-openssh was recently added to Fedora 15, 16 and rawhide and EPEL 5 and 6. The files should have the same tags as the corresponding files in the non-gsi openssh package. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-49.fc15 selinux-policy-3.10.0-64.fc16 selinux-policy-3.10.0-64.fc17 selinux-policy-2.4.6-316.el5 selinux-policy-3.7.19-93.el6_1.7 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Due to untagged gsisshd connections are killed with: pam_selinux(gsisshd:session): Security context user_u:user_r:policykit_grant_t:s0 is not allowed for user_u:user_r:policykit_grant_t:s0 Expected results: Accepted connection Additional info: The attachment contains an updated version of the ssh.fc based on the version in Fedora 16 with the patch in the srpm applied.
How did you start gsisshd service? You need to use unit file (service script for older distro). # ps -eZ |grep ssh
Sorry for the delay in answering. Here is an example what us going on. On the server (CentOS 6 with CR repo and EPEL): [root@globus ~]# restorecon /usr/sbin/gsisshd [root@globus ~]# ls -Z /usr/sbin/gsisshd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/gsisshd [root@globus ~]# service gsisshd restart Stopping gsisshd: [ OK ] Starting gsisshd: [ OK ] On the client (Fedora 16): [ellert@localhost ~]$ gsissh -p 2222 globus.grid.tsl.uu.se Unable to get valid context for ellert Last login: Fri Dec 23 05:31:48 2011 from c-36b0e455.0-0064-74657210.cust.bredbandsbolaget.se Connection to globus.grid.tsl.uu.se closed. On the server again: [root@globus ~]# chcon -t sshd_exec_t /usr/sbin/gsisshd [root@globus ~]# ls -Z /usr/sbin/gsisshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/gsisshd [root@globus ~]# service gsisshd restart Stopping gsisshd: [ OK ] Starting gsisshd: [ OK ] On the client again: [ellert@localhost ~]$ gsissh -p 2222 globus.grid.tsl.uu.se Last login: Fri Dec 23 05:32:01 2011 from c-36b0e455.0-0064-74657210.cust.bredbandsbolaget.se [ellert@globus ~]$ So login fails when the selinux type is wrong, but works when it is right. At least for this combination of client (Fedora 16) and server (CentOS 6).
Added to F18. commit 839461f382f58f1ab83ca45b5e2e0543f82d864d Author: Miroslav Grepl <mgrepl> Date: Sat Dec 15 20:04:28 2012 +0100 Label /usr/sbin/gsisshd as sshd_exec_t
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.