Bug#454076: sshd executed in chroot-environment refuses connections if SELinux is disabled by boot option selinux=0
Package: openssh-server
Version: 1:4.6p1-5
Severity: normal
--- Please enter the report below this line. ---
sshd executed in chroot-environment refuses connections if SELinux is
disabled by boot option selinux=0, whereas with sshd executed in
"regular" environment same ssh-login works flawless.
chroot-environment is built "manually" using cdebootstrap and strace,
I tried hardly to append all files used by sshd.
$ ssh -l tamino 127.0.0.1
#-------------------------
tamino@127.0.0.1's password:
Read from remote host 127.0.0.1: Connection reset by peer
Connection to 127.0.0.1 closed.
# /var/log/messages
#-------------------
Dec 2 22:09:08 roland sshd[15879]: Accepted password for tamino from 127.0.0.1 port 3325 ssh2
Dec 2 22:09:08 roland sshd[15881]: (pam_unix) session opened for user tamino by (uid=0)
Dec 2 22:09:08 roland sshd[15881]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
Dec 2 22:09:08 roland sshd[15881]: (pam_unix) session closed for user tamino
..
# kernel compiled with SELinux,
# SELinux disabled by boot option selinux=0,
# SELinux policy not yet installed
$ zgrep SELINUX /proc/config.gz
#-------------------------------
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.18.5roland2
Debian Release: 4.0
500 unstable gd.tuwien.ac.at
500 testing security.debian.org
500 testing gd.tuwien.ac.at
500 oldstable gd.tuwien.ac.at
500 edgy wine.budgetdedicated.com
1 experimental gd.tuwien.ac.at
--- Package information. ---
Depends (Version) | Installed
========================================-+-======================
libc6 (>= 2.6-1) | 2.6.1-1
libcomerr2 (>= 1.33-3) | 1.39+1.40-WIP-2006.11.14+dfsg-1
libkrb53 (>= 1.6.dfsg.1) | 1.6.dfsg.1-4
libpam0g (>= 0.76) | 0.79-4
libselinux1 (>= 2.0.15) | 2.0.15-2+b1
libssl0.9.8 (>= 0.9.8e-1) | 0.9.8e-5
libwrap0 | 7.6.dbs-12
zlib1g (>= 1:1.2.3.3.dfsg-1) | 1:1.2.3.3.dfsg-5
debconf (>= 1.2.0) | 1.5.11
OR debconf-2.0 |
libpam-runtime (>= 0.76-14) | 0.79-4
libpam-modules (>= 0.72-9) | 0.79-4
adduser (>= 3.9) | 3.102
dpkg (>= 1.9.0) | 1.13.25
openssh-client (= 1:4.6p1-5) | 1:4.6p1-5
lsb-base (>= 3.0-6) | 3.1-23
--
Roland Eggner
Reply to: