Bug#454076: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0

To: submit@bugs.debian.org
Subject: Bug#454076: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
From: Roland Eggner <roland.edv@eggner.at>
Date: Sun, 2 Dec 2007 22:31:44 +0100
Message-id: <[🔎] 200712022231.44916.roland.edv@eggner.at>
Reply-to: "Roland Eggner" <roland.edv@eggner.at>, 454076@bugs.debian.org

Package: openssh-server
Version: 1:4.6p1-5
Severity: normal

--- Please enter the report below this line. ---

sshd executed in chroot-environment refuses connections if SELinux is
disabled by boot option selinux=0, whereas with sshd executed in
"regular" environment same ssh-login works flawless.

chroot-environment is built "manually" using cdebootstrap and strace,
I tried hardly to append all files used by sshd.


$  ssh -l tamino 127.0.0.1
#-------------------------
tamino@127.0.0.1's password:
Read from remote host 127.0.0.1: Connection reset by peer
Connection to 127.0.0.1 closed.


#  /var/log/messages
#-------------------
Dec  2 22:09:08 roland sshd[15879]: Accepted password for tamino from 127.0.0.1 port 3325 ssh2
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session opened for user tamino by (uid=0)
Dec  2 22:09:08 roland sshd[15881]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
Dec  2 22:09:08 roland sshd[15881]: (pam_unix) session closed for user tamino
..


#  kernel compiled with SELinux,
#  SELinux disabled by boot option selinux=0,
#  SELinux policy not yet installed
$  zgrep SELINUX /proc/config.gz
#-------------------------------
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.18.5roland2

Debian Release: 4.0
  500 unstable        gd.tuwien.ac.at 
  500 testing         security.debian.org 
  500 testing         gd.tuwien.ac.at 
  500 oldstable       gd.tuwien.ac.at 
  500 edgy            wine.budgetdedicated.com 
    1 experimental    gd.tuwien.ac.at 

--- Package information. ---
Depends                        (Version) | Installed
========================================-+-======================
libc6                         (>= 2.6-1) | 2.6.1-1
libcomerr2                   (>= 1.33-3) | 1.39+1.40-WIP-2006.11.14+dfsg-1
libkrb53                 (>= 1.6.dfsg.1) | 1.6.dfsg.1-4
libpam0g                       (>= 0.76) | 0.79-4
libselinux1                  (>= 2.0.15) | 2.0.15-2+b1
libssl0.9.8                (>= 0.9.8e-1) | 0.9.8e-5
libwrap0                                 | 7.6.dbs-12
zlib1g             (>= 1:1.2.3.3.dfsg-1) | 1:1.2.3.3.dfsg-5
debconf                      (>= 1.2.0)  | 1.5.11
 OR debconf-2.0                          | 
libpam-runtime              (>= 0.76-14) | 0.79-4
libpam-modules               (>= 0.72-9) | 0.79-4
adduser                         (>= 3.9) | 3.102
dpkg                          (>= 1.9.0) | 1.13.25
openssh-client             (= 1:4.6p1-5) | 1:4.6p1-5
lsb-base                      (>= 3.0-6) | 3.1-23


-- 
Roland Eggner

Reply to:

Follow-Ups:
- Bug#454076: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
  - From: Colin Watson <cjwatson@debian.org>

Next by Date: Bug#447581: {/etc,/var/lib/initscripts}/nologin
Next by thread: Bug#454076: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
Index(es):
- Date
- Thread