LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Trouble connecting to sshd on Ubuntu 9.10. Logs point to SELinux problem... (http://www.linuxquestions.org/questions/linux-server-73/trouble-connecting-to-sshd-on-ubuntu-9-10-logs-point-to-selinux-problem-862639/)

bartonski 02-14-2011 12:49 PM

Trouble connecting to sshd on Ubuntu 9.10. Logs point to SELinux problem...
 
I'm trying to ssh into my Ubuntu box, but the connection is getting denied. When I look at /var/log/auth.log, I see the following:

Code:

Feb 14 12:41:16 tiger-laptop sshd[6798]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for tiger
I googled for this, and ran across the following:

http://www.spinics.net/lists/fedora-.../msg13049.html

Here's the part that I think relates to the problem that I'm having:

Quote:

>> >> What's wrong on my system?
>> >> Why it's not possible to login even if selinux is in permissive mode?
>> >> Any suggestions?
>> >
>> > I'd start by trying to figure out why sshd isn't running in sshd_t (it
>> > seems to be running in sysadm_t).
>> >
>> > Paul.
>> > --
>> > selinux mailing list
>> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> > https://admin.fedoraproject.org/mail...stinfo/selinux
>> >
>>
>> Yes, sshd is running in sysadm_t:
>>
>> # ps axZ | grep sshd
>> system_u:system_r:sysadm_t 3632 ? Ss 0:00
>> /usr/sbin/sshd
>> -o PidFile=/var/run/sshd.init.pi
>>
>> # ls -Z /usr/sbin/sshd
>> system_u:object_r:sshd_exec_t /usr/sbin/sshd
>>
>> Don't know why it's not sshd_t. I didn't modified something. It's a
>> standard installation of sles11 with the default reference policy from
>> tresys.
>>
>> Maybe this code snippet from policy/modules/services/ssh.te is
>> responsible
>> for that:
>> ## <desc>
>> ## <p>
>> ## Allow ssh logins as sysadm_r:sysadm_t
>> ## </p>
>> ## </desc>
>> gen_tunable(ssh_sysadm_login, true)
>>
>> Any ideas?
>
> Do you have boolean init_upstart set to on? if not try setting it to on.
> I do not believe ssh_sysadm_login boolean works currently but i may be
> mistaken.
>>
>> --
Yeah, setting init_upstart to on did the trick! THANK A LOT!
Do you know why this prevents the user from logging in through ssh even if
selinux is set to permissive??
Ok, so the million dollar question is 'where do I set 'init_upstart=1'

It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.

corp769 02-14-2011 04:22 PM

You would just need to run the following:

Code:

setsebool -P init_upstart=1

bartonski 02-14-2011 09:57 PM

worked like a charm...
 
Thanks.

corp769 02-15-2011 12:21 AM

No problem!


All times are GMT -5. The time now is 09:50 AM.