[ubuntu-hardened] Ubuntu 14.04 - Failed to get default SELinux security context
Riza Kamalie
riza.kamalie at voss-solutions.com
Thu Sep 22 07:29:39 UTC 2016
Hi,
Hoping you guys could help with this.
1) Recently upgraded for 14.04 and took the opportunity to install SElinux.
Everything looks OK but seeing this error on logging in and in the
/var/log/auth.log
2016-09-21T16:06:22.685184+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Open Session
2016-09-21T16:06:22.686932+00:00 riz-ctl-alt-del sshd[39155]:
pam_unix(sshd:session): session opened for user platform by (uid=0)
2016-09-21T16:06:22.820004+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Open Session
*2016-09-21T16:06:22.836667+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Username= platform SELinux User= user_u Level=
s0*
*2016-09-21T16:06:22.836698+00:00 riz-ctl-alt-del sshd[39155]:
pam_selinux(sshd:session): Unable to get valid context for platform*
*2016-09-21T16:06:23.003970+00:00 riz-ctl-alt-del sshd[39163]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for platform*
*2016-09-21T16:06:23.008386+00:00 riz-ctl-alt-del sshd[39155]: error:
ssh_selinux_getctxbyname: Failed to get default SELinux security context
for platform*
*2016-09-21T16:06:23.009460+00:00 riz-ctl-alt-del sshd[39155]: error:
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument*
2) The sshd looks to have started up under the correct security context
(see below)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
root at riz-ctl-alt-del:/var/log/platform# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 26
Process contexts:
Current context: system_u:system_r:sysadm_t:SystemLow
Init context: system_u:system_r:init_t:SystemLow
*/usr/sbin/sshd system_u:system_r:init_t:SystemLow*
^^^^^^^^^^^^^^^^^
3) I have mapped the platform account (in this case) to user_u. Even when
not doing this and it defaults to unconfined_u it still displays the error
message.
4) The /etc/pam.d/ssh looks to be correct as well. (I've add the
nottys/debug/verbose)
root at riz-ctl-alt-del:/var/log/platform# egrep -r selinux /etc/pam.d/sshd
*session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close nottys debug verbose*
*session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open env_params nottys verbose debug*
5) Output for login and user
root at riz-ctl-alt-del:/var/log/platform# semanage user -l ; semanage login -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
root sysadm SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r
staff_u staff SystemLow SystemLow-SystemHigh
staff_r sysadm_r
sysadm_u sysadm SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r
unconfined_u unconfined SystemLow SystemLow-SystemHigh
system_r unconfined_r
*user_u user SystemLow SystemLow
user_r*
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u SystemLow-SystemHigh *
*platform user_u SystemLow **
root unconfined_u SystemLow-SystemHigh *
system_u system_u SystemLow-SystemHigh *
6) The context in the default policy looks correct
root at riz-ctl-alt-del:/etc/selinux/default/contexts/users# cat user_u
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
*system_r:sshd_t:s0 user_r:user_t:s0*
system_r:crond_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
7) user_xattr is on by default on ext4 so the relabelling should of worked.
I followed the debian wiki with regards to setting up selinux
Any help would be great. Any way to debug this further would also be
helpful.
--
Regards
Riza
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160922/269b8a61/attachment.html>
More information about the ubuntu-hardened
mailing list