From: Dominick Grift <domg472@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: sshd error: Failed to get default security context
Date: Sun, 18 Oct 2009 12:33:45 +0200 [thread overview]
Message-ID: <20091018103341.GA8253@notebook1.grift.internal> (raw)
In-Reply-To: <4AD9AD06.9030309@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2292 bytes --]
On Sat, Oct 17, 2009 at 07:39:50AM -0400, Daniel J Walsh wrote:
> On 10/16/2009 08:15 PM, Larry Ross wrote:
> > I have created a custom selinux user for the strict policy on RHEL5.3 who's
> > purpose is to connect via ssh and scp files off the machine. When that user
> > tries to login via ssh, I see the following messages in /var/log/secure:
> >
> > In enforcing:
> > Oct 16 07:49:40 localhost sshd[20461]: Accepted password for scpuser
> > from 192.168.1.1 port 64680 ssh2
> > Oct 16 07:49:40 localhost sshd[20461]: error: Failed to get default security
> > context for scpuser.
> > Oct 16 07:49:40 localhost sshd[20461]: fatal: SELinux failure. Aborting
> > connection.
> >
> > In permissive:
> > Oct 16 07:55:59 localhost sshd[23302]: Accepted password for scpuser from
> > 192.168.1.1 port 56254 ssh2
> > Oct 16 07:55:59 localhost sshd[23302]: error: Failed to get default security
> > context for scpuser.
> > Oct 16 07:55:59 localhost sshd[23302]: error: SELinux failure. Continuing in
> > permissive mode.
> >
> > Could someone explain what these messages mean?
I am not sure about el5 but in Fedora:
the files in /etc/selinux/<policy model>/contexts/targeted have specifications that tell the login programs what context to use for the specified seuser when he logs in.
I wrote an article about adding customized user domains for Fedora:
http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-four-customized.html
And some screencasts:
http://selinux-mac.blogspot.com/2009/06/selinux-screencasts.html
> >
> > I believe that I have a default context defined in the "default context"
> > file that should work. I believe I have an executable context available for
> > this user (using rbash rather than bash).
> >
> > How is sshd making this decision? It looks like it is calling setexeccon,
> > but I'm not sure how that makes its decision. Where should I look for clues
> > as to how to fix it?
> >
> > Thank you,
> > Larry
> >
> Did you add an entry to default_types?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2009-10-18 10:33 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-17 0:15 sshd error: Failed to get default security context Larry Ross
2009-10-17 11:39 ` Daniel J Walsh
2009-10-17 18:17 ` Larry Ross
2009-10-19 13:53 ` Stephen Smalley
2009-10-19 16:49 ` Larry Ross
2009-10-19 17:13 ` Stephen Smalley
2009-10-20 1:43 ` Larry Ross
2009-10-20 11:18 ` Stephen Smalley
2009-10-27 1:16 ` Where do I get a good Policy Base ? Hasan Rezaul-CHR010
2009-10-27 8:49 ` Dominick Grift
2009-10-27 12:45 ` Christopher J. PeBenito
2009-11-10 0:01 ` Hasan Rezaul-CHR010
2009-12-10 2:18 ` How to use sepolgen VS. policygentool Hasan Rezaul-CHR010
2009-12-10 2:50 ` Hasan Rezaul-CHR010
2009-12-10 16:02 ` Stephen Smalley
2009-12-10 17:11 ` Guido Trentalancia
2009-12-10 19:11 ` Daniel J Walsh
2009-12-10 15:54 ` Stephen Smalley
2009-12-10 19:38 ` Daniel J Walsh
2009-12-15 17:43 ` Policy writing philosophy Hasan Rezaul-CHR010
2009-12-15 20:14 ` Dominick Grift
2009-12-15 20:40 ` Bandan Das
2009-12-16 14:58 ` Stephen Smalley
2009-12-16 15:30 ` Hasan Rezaul-CHR010
2009-12-16 15:47 ` Stephen Smalley
2009-12-16 15:48 ` Hasan Rezaul-CHR010
2009-12-10 19:04 ` How to use sepolgen VS. policygentool Daniel J Walsh
2009-11-11 19:37 ` Where do I get a good Policy Base ? Hasan Rezaul-CHR010
2009-11-11 22:02 ` Daniel J Walsh
2009-11-11 23:25 ` Hasan Rezaul-CHR010
2009-11-12 13:06 ` Daniel J Walsh
2009-10-18 10:33 ` Dominick Grift [this message]
2009-10-18 18:58 ` sshd error: Failed to get default security context Larry Ross
2009-10-19 14:02 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091018103341.GA8253@notebook1.grift.internal \
--to=domg472@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.