SeLinux blocking connection to sshd on Ubuntu 9.10
- by Barton Chittenden
When I try to log on to my laptop, which runs Ubuntu 9.10, the server rejects my login attempts.
Checking /var/log/auth.log, I see the following:
Feb 14 12:41:16 tiger-laptop sshd[6798]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for tiger
I googled for this, and ran across the following:
http://www.spinics.net/lists/fedora-.../msg13049.html
Here's the part that I think relates to the problem that I'm having:
Quote:
What's wrong on my system?
Why it's not possible to login even if selinux is in permissive mode?
Any suggestions?
I'd start by trying to figure out why sshd isn't running in sshd_t (it
seems to be running in sysadm_t).
Paul.
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mail...stinfo/selinux
Yes, sshd is running in sysadm_t:
ps axZ | grep sshd
system_u:system_r:sysadm_t 3632 ? Ss 0:00
/usr/sbin/sshd
-o PidFile=/var/run/sshd.init.pi
ls -Z /usr/sbin/sshd
system_ubject_r:sshd_exec_t /usr/sbin/sshd
Don't know why it's not sshd_t. I didn't modified something. It's a
standard installation of sles11 with the default reference policy from
tresys.
Maybe this code snippet from policy/modules/services/ssh.te is
responsible
for that:
Allow ssh logins as sysadm_r:sysadm_t
gen_tunable(ssh_sysadm_login, true)
Any ideas?
Do you have boolean init_upstart set to on? if not try setting it to on.
I do not believe ssh_sysadm_login boolean works currently but i may be
mistaken.
--
Yeah, setting init_upstart to on did the trick! THANK A LOT!
Do you know why this prevents the user from logging in through ssh even if
selinux is set to permissive??
Ok, so the million dollar question is "where do I set 'init_upstart=1'"?
It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.