- OpenSSH_5.8p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- selinux-policy-2.4.6-338.el5
- pam-0.99.6.2-12.el5
SELinux is running in permissive mode:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 21
Policy from config file: targeted
Whenever I login via ssh, /var/log/secure
complain that:
sshd[4957]: Accepted publickey for quanta from 192.168.3.40 port 55822 ssh2
sshd[4957]: pam_unix(sshd:session): session opened for user quanta by (uid=0)
sshd[4957]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Google point me to this thread on the Fedora forum:
Possibly the easiest way (though longest) is to create the file
/.autorelabel
andreboot
.
but I wonder that is there any other way to get rid of this without rebooting?
The security context of quanta
:
$ id -Z
system_u:system_r:unconfined_t:SystemLow-SystemHigh
The mapping between Linux user and user_u
:
$ sudo /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh
SELinux users:
$ sudo /usr/sbin/semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
The security context that sshd
is running as:
$ ps -eZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 9509 ? 00:02:11 sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 18319 ? 00:00:00 sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 18321 ? 00:00:00 sshd
PAM configuration for sshd:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
#account required pam_access.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
What I already tried and didn't help:
# yum reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/
# restorecon -R -v /home/
/var/log/audit/audit.log
:
type=USER_AUTH msg=audit(1362372405.835:28361028): user pid=14332 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=50939 acct="quanta" exe="/usr/sbin/sshd" (hostname=?, addr=192.168.3.40, terminal=? res=success)'
UPDATE Mon Mar 4 21:20:49 ICT 2013
Reply to Michael Hampton:
Keep in mind that the reason for the reboot is that changing the
security contexts affects running services, so at a minimum you should
restart the affected services (i.e. restart sshd).
root 10244 1 0 17:18 ? 00:00:00 /usr/sbin/sshd
/var/log/secure
Mar 4 17:18:48 hostname sshd[10308]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
UPDATE Tue Mar 5 21:54:00 ICT 2013
Can you provide the output of
ls -lZ /dev/pts /dev/ptmx
?
# ls -lZ /dev/pts/ /dev/ptmx
crw-rw-rw-. 1 root tty system_u:object_r:ptmx_t 5, 2 Mar 5 21:54 /dev/ptmx
/dev/pts/:
total 0
crw--w----. 1 quanta tty system_u:object_r:devpts_t 136, 0 Mar 5 21:54 0
crw--w----. 1 dieppv tty system_u:object_r:devpts_t 136, 1 Feb 26 17:08 1
crw--w----. 1 dieppv tty system_u:object_r:devpts_t 136, 2 Feb 25 17:53 2
UPDATE Wed Mar 6 10:57:11 ICT 2013
I have compiled the openssh-5.8p1, then copied the configuration files (/etc/ssh/
and /etc/pam.d/sshd
), and started on a different port.
What surprised me is /var/log/secure
doesn't complain when I try to login:
sshd[5061]: Server listening on 192.168.6.142 port 2317.
sshd[5139]: Accepted publickey for quanta from 192.168.3.40 port 54384 ssh2
sshd[5139]: pam_unix(sshd:session): session opened for user quanta by (uid=0)
The security context of the new /usr/local/sbin/sshd
daemon is the same as the old (/usr/sbin/sshd
):
ps -efZ | grep /usr/local/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh root 5061 1 0 10:56 ? 00:00:00 /usr/local/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh root 7850 3104 0 11:06 pts/3 00:00:00 grep /usr/local/sbin/sshd
Do you have any ideas?
UPDATE Wed Mar 6 15:36:39 ICT 2013
Make sure you compile it with
--with-selinux
, its not done by
default.
OpenSSH has been configured with the following options:
User binaries: /usr/local//bin
System binaries: /usr/local//sbin
Configuration files: /etc/openssh
Askpass program: /usr/local//libexec/ssh-askpass
Manual pages: /usr/local//share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local//bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: yes
Smartcard support:
S/KEY support: no
TCP Wrappers support: no
MD5 password support: yes
libedit support: no
Solaris process contract support: no
Solaris project support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -std=gnu99
Preprocessor flags:
Linker flags: -fstack-protector-all
Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt
+for sshd: -lpam -lselinux
+for ssh: -lselinux
/var/log/secure
when login to port 22 (/usr/sbin/sshd
):
sshd[27339]: Accepted publickey for quanta from 192.168.3.40 port 50560 ssh2
sshd[27339]: pam_unix(sshd:session): session opened for user quanta by (uid=0)
sshd[27339]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
sshd[28025]: Received disconnect from 192.168.3.40: 11: disconnected by user
sshd[28022]: pam_unix(sshd:session): session closed for user quanta
/var/log/secure
when login to port 2317 (/usr/local/sbin/sshd
):
sshd[27705]: Accepted publickey for quanta from 192.168.3.40 port 34175 ssh2
sshd[27705]: pam_unix(sshd:session): session opened for user quanta by (uid=0)
sshd[27707]: Received disconnect from 192.168.3.40: 11: disconnected by user
sshd[27705]: pam_unix(sshd:session): session closed for user quanta
and here're the log to prove that it enters the ssh_selinux_setup_pty
:
sshd[4023]: debug1: SELinux support enabled
sshd[4023]: debug3: ssh_selinux_setup_pty: setting TTY context on /dev/pts/3
sshd[4023]: debug3: ssh_selinux_setup_pty: User context is user_u:system_r:unconfined_t, target tty is
system_u:object_r:devpts_t
sshd[4023]: debug3: ssh_selinux_setup_pty: done
Best Answer
The
/.autorelabel
file just causes the startup scripts to runrestorecon -r -v /
at boot time, and then reboot again. (Actually it runs some invocation offixfiles
that prints lots of dots, but since that's just a frontend torestorecon
I don't care...)You could just run this yourself without rebooting, and that's generally my first step when trying to diagnose a weird SELinux issue. Keep in mind that the reason for the reboot is that changing the security contexts affects running services, so at a minimum you should restart the affected services (i.e. restart sshd).
If this does solve the problem, then somewhere in the output you'll see a changed security context which was the cause and resolution of the issue. Most likely it is not in
/home
or/etc/selinux
.