I'm trying to ssh into my Ubuntu box, but the connection is getting denied. When I look at /var/log/auth.log, I see the following:
Code:
Feb 14 12:41:16 tiger-laptop sshd[6798]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for tiger
I googled for this, and ran across the following:
http://www.spinics.net/lists/fedora-.../msg13049.html
Here's the part that I think relates to the problem that I'm having:
Quote:
>> >> What's wrong on my system?
>> >> Why it's not possible to login even if selinux is in permissive mode?
>> >> Any suggestions?
>> >
>> > I'd start by trying to figure out why sshd isn't running in sshd_t (it
>> > seems to be running in sysadm_t).
>> >
>> > Paul.
>> > --
>> > selinux mailing list
>> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> > https://admin.fedoraproject.org/mail...stinfo/selinux
>> >
>>
>> Yes, sshd is running in sysadm_t:
>>
>> # ps axZ | grep sshd
>> system_u:system_r:sysadm_t 3632 ? Ss 0:00
>> /usr/sbin/sshd
>> -o PidFile=/var/run/sshd.init.pi
>>
>> # ls -Z /usr/sbin/sshd
>> system_u bject_r:sshd_exec_t /usr/sbin/sshd
>>
>> Don't know why it's not sshd_t. I didn't modified something. It's a
>> standard installation of sles11 with the default reference policy from
>> tresys.
>>
>> Maybe this code snippet from policy/modules/services/ssh.te is
>> responsible
>> for that:
>> ## <desc>
>> ## <p>
>> ## Allow ssh logins as sysadm_r:sysadm_t
>> ## </p>
>> ## </desc>
>> gen_tunable(ssh_sysadm_login, true)
>>
>> Any ideas?
>
> Do you have boolean init_upstart set to on? if not try setting it to on.
> I do not believe ssh_sysadm_login boolean works currently but i may be
> mistaken.
>>
>> --
Yeah, setting init_upstart to on did the trick! THANK A LOT!
Do you know why this prevents the user from logging in through ssh even if
selinux is set to permissive??
|
Ok, so the million dollar question is 'where do I set 'init_upstart=1'
It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.
