[ubuntu-hardened] Ubuntu 14.04 - Failed to get default SELinux security context

Riza Kamalie riza.kamalie at voss-solutions.com
Thu Sep 22 07:29:39 UTC 2016 

Hi,

Hoping you guys could help with this.

1) Recently upgraded for 14.04 and took the opportunity to install SElinux.
Everything looks OK but seeing this error on logging in and in the
/var/log/auth.log

2016-09-21T16:06:22.685184+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Open Session
2016-09-21T16:06:22.686932+00:00 riz-ctl-alt-del sshd[39155]:
pam_unix(sshd:session): session opened for user platform by (uid=0)
2016-09-21T16:06:22.820004+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Open Session
*2016-09-21T16:06:22.836667+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Username= platform SELinux User= user_u Level=
s0*
*2016-09-21T16:06:22.836698+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Unable to get valid context for platform*
*2016-09-21T16:06:23.003970+00:00 riz-ctl-alt-del sshd[39163]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for platform*
*2016-09-21T16:06:23.008386+00:00 riz-ctl-alt-del sshd[39155]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for platform*
*2016-09-21T16:06:23.009460+00:00 riz-ctl-alt-del sshd[39155]: error:
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument*


2) The sshd looks to have started up under the correct security context
(see below)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

root at riz-ctl-alt-del:/var/log/platform# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      26

Process contexts:
Current context:                system_u:system_r:sysadm_t:SystemLow
Init context:                   system_u:system_r:init_t:SystemLow
*/usr/sbin/sshd                  system_u:system_r:init_t:SystemLow*

^^^^^^^^^^^^^^^^^

3) I have mapped the platform account (in this case) to user_u. Even when
not doing this and it defaults to unconfined_u it still displays the error
message.

4) The /etc/pam.d/ssh looks to be correct as well. (I've add the
nottys/debug/verbose)

root at riz-ctl-alt-del:/var/log/platform# egrep -r selinux /etc/pam.d/sshd
*session [success=ok ignore=ignore module_unknown=ignore default=bad]
 pam_selinux.so close nottys debug verbose*
*session [success=ok ignore=ignore module_unknown=ignore default=bad]
 pam_selinux.so open env_params nottys verbose debug*

5) Output for login and user

root at riz-ctl-alt-del:/var/log/platform# semanage user -l ; semanage login -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
 SELinux Roles

root            sysadm     SystemLow  SystemLow-SystemHigh
staff_r sysadm_r system_r
staff_u         staff      SystemLow  SystemLow-SystemHigh
staff_r sysadm_r
sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh
sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh
system_r
unconfined_u    unconfined SystemLow  SystemLow-SystemHigh
system_r unconfined_r
*user_u          user       SystemLow  SystemLow
 user_r*

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         SystemLow-SystemHigh *
*platform             user_u               SystemLow            **
root                 unconfined_u         SystemLow-SystemHigh *
system_u             system_u             SystemLow-SystemHigh *

6) The context in the default policy looks correct

root at riz-ctl-alt-del:/etc/selinux/default/contexts/users# cat user_u
system_r:local_login_t:s0       user_r:user_t:s0
system_r:remote_login_t:s0      user_r:user_t:s0
*system_r:sshd_t:s0              user_r:user_t:s0*
system_r:crond_t:s0             user_r:cronjob_t:s0
system_r:xdm_t:s0               user_r:user_t:s0
user_r:user_su_t:s0             user_r:user_t:s0
user_r:user_sudo_t:s0           user_r:user_t:s0

7) user_xattr is on by default on ext4 so the relabelling should of worked.
I followed the debian wiki with regards to setting up selinux

Any help would be great. Any way to debug this further would also be
helpful.

-- 
Regards
Riza
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160922/269b8a61/attachment.html>

More information about the ubuntu-hardened mailing list