Bug#734174: openssh-server: SELinux errors in syslog
Package: openssh-server
Version: 1:6.4p1-2
Severity: normal
Bonjour,
I have enabled SELinux in permissive mode.
When I connect and logoff, I get the following lines in auth.log:
Jan 4 16:26:44 tc2 sshd[18138]: Accepted password for benoit from [some_ipv6_address] port 58739 ssh2
Jan 4 16:26:44 tc2 sshd[18138]: pam_unix(sshd:session): session opened for user benoit by (uid=0)
Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): conversation failed
Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): Unable to get valid context for benoit
Jan 4 16:26:44 tc2 sshd[18140]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for benoit
Jan 4 16:26:44 tc2 sshd[18138]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for benoit
Jan 4 16:26:44 tc2 sshd[18138]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Jan 4 16:26:46 tc2 sshd[18140]: Received disconnect from [some_ipv6_address] 11: disconnected by user
Jan 4 16:26:46 tc2 sshd[18138]: pam_unix(sshd:session): session closed for user benoit
"sestatus -v" gives (among other lines):
/usr/sbin/sshd unconfined_u:system_r:sshd_t:SystemLow-SystemHigh
I did not try in enforcing mode.
I restart sshd with run_init:
# run_init /etc/init.d/ssh restart
Remote connection now leads to:
Jan 4 16:27:00 tc2 sshd[18270]: Accepted password for benoit from [some_ipv6_address] port 58753 ssh2
Jan 4 16:27:00 tc2 sshd[18270]: pam_unix(sshd:session): session opened for user benoit by (uid=0)
Jan 4 16:27:00 tc2 sshd[18270]: pam_selinux(sshd:session): pam: default-context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh selected-context=uncfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh success 1
Jan 4 16:27:02 tc2 sshd[18272]: Received disconnect from [some_ipv6_address] 11: disconnected by user
Jan 4 16:27:02 tc2 sshd[18270]: pam_unix(sshd:session): session closed for user benoit
No more error messages!
"sestatus -v" gives (among other lines):
/usr/sbin/sshd system_u:system_r:sshd_t:SystemLow-SystemHigh
As far as I understand, this means that in order to have proper behaviour sshd
should be started with something equivalent of run_init at boot time.
This bug may concern boot/init packages more than openssh-server.
Merci,
Benoit
*** End of the template - remove these lines ***
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii dpkg 1.17.5
ii libc6 2.17-97
ii libcomerr2 1.42.8-1
ii libgssapi-krb5-2 1.11.3+dfsg-3+nmu1
ii libkrb5-3 1.11.3+dfsg-3+nmu1
ii libpam-modules 1.1.3-9
ii libpam-runtime 1.1.3-9
ii libpam0g 1.1.3-9
ii libselinux1 2.2.1-1
ii libssl1.0.0 1.0.1e-6
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian12
ii openssh-client 1:6.4p1-2
ii procps 1:3.3.4-2
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20130608-1
ii xauth 1:1.0.7-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii rssh 2.3.4-4
ii ssh-askpass 1:1.2.4.1-9
pn ufw <none>
-- debconf information:
ssh/encrypted_host_key_but_no_keygen:
ssh/vulnerable_host_keys:
ssh/disable_cr_auth: false
* ssh/use_old_init_script: true
Reply to: