Fedora Linux Support Community & Resources Center
  #1  
Old 24th August 2010, 01:09 AM
tanwald Offline
Registered User
 
Join Date: Mar 2010
Posts: 12
linuxfedorafirefox
SSH: Unable to get valid context

Hello,

I have been working with ssh for a long time without problems but suddenly, without any changes to the configuration, I am facing problems. When I try to login I get the following message and the connection is closed:

Code:
Unable to get valid context for tanwald
I ran SELinux in permissive mode and found the following logs:

Code:
Aug 24 01:25:51 tanwald2 sshd[2457]: pam_selinux(sshd:session): Security context unconfined_u:system_r:policykit_grant_t:s0-s0:c0.c1023 is not allowed for unconfined_u:system_r:policykit_grant_t:s0-s0:c0.c1023
Aug 24 01:25:51 tanwald2 sshd[2457]: pam_selinux(sshd:session): Unable to get valid context for tanwald
Aug 24 01:25:51 tanwald2 sshd[2457]: pam_unix(sshd:session): session opened for user tanwald by (uid=0)
Aug 24 01:25:51 tanwald2 sshd[2457]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I could not find a suitable solution but while searching around, people who wanted to help other users asked for the following information:

Code:
$ id -Z
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023
$ sudo semanage login -l

Login Name                SELinux User              MLS/MCS Range    
        
__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023 
$ sudo semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       s0         s0                             git_shell_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
$ ps -eZ | grep ssh
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2454 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2457 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2461 ? 00:00:00 sshd
Thanks for any hint, tanwald

Last edited by tanwald; 24th August 2010 at 01:11 AM.
Reply With Quote
  #2  
Old 24th August 2010, 02:06 AM
smr54 Offline
Registered User
 
Join Date: Jan 2010
Posts: 5,528
linuxopera
Re: SSH: Unable to get valid context

Not sure what you've found so far, but the last post in this thread might be a clue?

http://fedoraforum.org/forum/showthread.php?t=248518
Reply With Quote
  #3  
Old 24th August 2010, 10:55 AM
tanwald Offline
Registered User
 
Join Date: Mar 2010
Posts: 12
linuxfedorafirefox
Re: SSH: Unable to get valid context

Quote:
Originally Posted by smr54 View Post
Not sure what you've found so far, but the last post in this thread might be a clue?

http://fedoraforum.org/forum/showthread.php?t=248518
Thanks, I had already found that post but it doesn't provide a permanent solution for me. Sure I could just comment out the selinux modules but I want to be able to login without turning security off. I need a configuration to get a valid context.
Reply With Quote
  #4  
Old 24th August 2010, 01:05 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,870
linuxfedorafirefox
Re: SSH: Unable to get valid context

You might try a restorecon to possibly relabel some devices - it is almost as if the
pty devices have an "altered" label - preventing ssh from getting/setting one up.
Reply With Quote
  #5  
Old 24th August 2010, 03:36 PM
tanwald Offline
Registered User
 
Join Date: Mar 2010
Posts: 12
linuxfedorafirefox
Re: SSH: Unable to get valid context

Quote:
Originally Posted by jpollard View Post
You might try a restorecon to possibly relabel some devices - it is almost as if the
pty devices have an "altered" label - preventing ssh from getting/setting one up.
How do i perform a restorecon correctly? sudo restorecon -r / isn't the way to go, is it? At least it did not change anything. As you can see, I'm not a selinux-guru. Thanks, tanwald
Reply With Quote
  #6  
Old 24th August 2010, 03:57 PM
scott32746 Offline
Registered User
 
Join Date: Jun 2007
Location: Lake Mary, Florida
Age: 50
Posts: 1,088
windows_xp_2003firefox
Re: SSH: Unable to get valid context

Hello,
I have made changes to my .bash_profile in the past that did not let SSH work anymore.
Does any other ID work ?


I found this
https://bugzilla.redhat.com/show_bug.cgi?id=453424
Reply With Quote
  #7  
Old 24th August 2010, 06:33 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,870
linuxfedorafirefox
Re: SSH: Unable to get valid context

Possibly the easiest way (though longest) is to create the file "/.autorelabel"
and reboot.

This can take a while as it passes through the system verifying and setting labels
as needed.
Reply With Quote
  #8  
Old 25th August 2010, 10:07 AM
tanwald Offline
Registered User
 
Join Date: Mar 2010
Posts: 12
linuxfedorafirefox
Re: SSH: Unable to get valid context

Quote:
Originally Posted by scott32746 View Post
Hello,
I have made changes to my .bash_profile in the past that did not let SSH work anymore.
Does any other ID work ?


I found this
https://bugzilla.redhat.com/show_bug.cgi?id=453424
I also came across that page but the instructions did not bring a solution for me. I often change my .bashrc but i can't tell if this was causing the problems.

Quote:
Originally Posted by jpollard View Post
Possibly the easiest way (though longest) is to create the file "/.autorelabel"
and reboot.
Nice, it seems that this finally fixed the problem.

Thanks a lot for all hints again.
Reply With Quote
  #9  
Old 1st April 2013, 06:16 AM
hapdoo Offline
Registered User
 
Join Date: Apr 2013
Location: chinese
Posts: 5
windows_7chrome
Re: SSH: Unable to get valid context

Quote:
Originally Posted by tanwald View Post
Thanks, I had already found that post but it doesn't provide a permanent solution for me. Sure I could just comment out the selinux modules but I want to be able to login without turning security off. I need a configuration to get a valid context.

Code:
$ ps -eZ | grep ssh
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2454 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2457 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2461 ? 00:00:00 sshd
It's caused by the security context of the process sshd .

normal is:
Code:
$ps -efZ|grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 13599 1  0 09:44 ?        00:00:00 /usr/sbin/sshd

SO,change the process sshd context to "system_u:system_r:sshd_t:s0-s0:c0.c1023"



test.c:
Code:
#include <selinux/selinux.h>

int main()
{
setexeccon("system_u:system_r:sshd_t:s0-s0:c0.c1023");
execve("/bin/sh",0,0);
return 0;
}

compile test.c (need libselinux,libselinux-devel)
Code:
gcc -o test test.c -lselinux


run this program with root privilege,and then restart sshd.


Code:
[root@localhost ~]#setenforce 0
[root@localhost ~]# ./test
[root@localhost root]# id -Z
system_u:system_r:sshd_t:s0-s0:c0.c1023
[root@localhost root]#/sbin/service sshd restart
Stop sshd:                                               [OK]
Start sshd:                                               [OK]
[root@localhost ~]#ps -efZ|grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15345 3599  0 13:07 pts/1 00:00:00 [sh]
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15383 1  0 13:08 ?        00:00:00 /usr/sbin/sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15388 15345 21 13:08 pts/1 00:00:00 ps -efZ
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15389 15345  0 13:08 pts/1 00:00:00 grep sshd
[root@localhost ~]#setenforce 1

all done. Try ssh login again.

Last edited by hapdoo; 1st April 2013 at 06:39 AM.
Reply With Quote
  #10  
Old 1st April 2013, 08:09 AM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,870
linuxfirefox
Re: SSH: Unable to get valid context

Quote:
Originally Posted by hapdoo View Post
Code:
$ ps -eZ | grep ssh
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2454 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2457 ? 00:00:00 sshd
unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 2461 ? 00:00:00 sshd
It's caused by the security context of the process sshd .

normal is:
Code:
$ps -efZ|grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 13599 1  0 09:44 ?        00:00:00 /usr/sbin/sshd

SO,change the process sshd context to "system_u:system_r:sshd_t:s0-s0:c0.c1023"



test.c:
Code:
#include <selinux/selinux.h>

int main()
{
setexeccon("system_u:system_r:sshd_t:s0-s0:c0.c1023");
execve("/bin/sh",0,0);
return 0;
}

compile test.c (need libselinux,libselinux-devel)
Code:
gcc -o test test.c -lselinux


run this program with root privilege,and then restart sshd.


Code:
[root@localhost ~]#setenforce 0
[root@localhost ~]# ./test
[root@localhost root]# id -Z
system_u:system_r:sshd_t:s0-s0:c0.c1023
[root@localhost root]#/sbin/service sshd restart
Stop sshd:                                               [OK]
Start sshd:                                               [OK]
[root@localhost ~]#ps -efZ|grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15345 3599  0 13:07 pts/1 00:00:00 [sh]
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15383 1  0 13:08 ?        00:00:00 /usr/sbin/sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15388 15345 21 13:08 pts/1 00:00:00 ps -efZ
system_u:system_r:sshd_t:s0-s0:c0.c1023 root 15389 15345  0 13:08 pts/1 00:00:00 grep sshd
[root@localhost ~]#setenforce 1

all done. Try ssh login again.
This was a dead thread.

But it would be MUCH better to set the sshd executable to the proper security context.

What this does is break security.
Reply With Quote
  #11  
Old 1st April 2013, 12:49 PM
hapdoo Offline
Registered User
 
Join Date: Apr 2013
Location: chinese
Posts: 5
windows_7chrome
Re: SSH: Unable to get valid context

Quote:
Originally Posted by jpollard View Post
This was a dead thread.

But it would be MUCH better to set the sshd executable to the proper security context.

What this does is break security.


"system_u:system_r:sshd_t:s0-s0:c0.c1023"

is the proper security . I just correct sshd executable security context.
Reply With Quote
  #12  
Old 1st April 2013, 01:01 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,870
linuxfirefox
Re: SSH: Unable to get valid context

Quote:
Originally Posted by hapdoo View Post
"system_u:system_r:sshd_t:s0-s0:c0.c1023"

is the proper security . I just correct sshd executable security context.
No - you broke it by having to 1, disable security, 2, run a daemon with privileges, 3, restore security.

There is no guarantee that the daemon has to be sshd.

Putting the proper label on the sshd executable prevents any OTHER daemon from being done.

It also eliminates the need to disable security to run it.
Reply With Quote
  #13  
Old 1st April 2013, 02:15 PM
hapdoo Offline
Registered User
 
Join Date: Apr 2013
Location: chinese
Posts: 5
windows_7chrome
Re: SSH: Unable to get valid context

Quote:
Originally Posted by jpollard View Post
No - you broke it by having to 1, disable security, 2, run a daemon with privileges, 3, restore security.

There is no guarantee that the daemon has to be sshd.

Putting the proper label on the sshd executable prevents any OTHER daemon from being done.

It also eliminates the need to disable security to run it.

I don't agree it.
First ,to change sshd daemon security context need disable selinux temporarily.

to run "./test" need run "setenforce 0" first.


then restart sshd , to change security context change to "system_u:system_r:sshd_t:s0-s0:c0.c1023". this context is corroct to sshd,and only sshd.

finally exit program "test". and "setenforce 1" TO turn on selinux.

from beginning to end , only sshd daemon context is changed.


the "system_u:system_r:sshd_t:s0-s0:c0.c1023" does not apply to other daemon.


The exec context is automatically reset after the execve().


WHAT this method is no need to reboot .

Last edited by hapdoo; 1st April 2013 at 02:36 PM.
Reply With Quote
  #14  
Old 1st April 2013, 02:57 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,870
linuxfirefox
Re: SSH: Unable to get valid context

No need to reboot when you set the security label properly.

Just restart the sshd service.

And system_u:system_r:sshd_t:s0-s0:c0.c1023 would apply to ANY daemon started your way.
Reply With Quote
  #15  
Old 1st April 2013, 03:06 PM
DBelton Offline
Administrator
 
Join Date: Aug 2009
Posts: 7,330
linuxfirefox
Re: SSH: Unable to get valid context

Actually, what it looks like to me was that you changed the context of the current user (root) and NOT the sshd process.
Quote:
#include <selinux/selinux.h>

int main()
{
setexeccon("system_u:system_r:sshd_t:s0-s0:c0.c1023");
execve("/bin/sh",0,0);
return 0;
}
There is nothing in that to tell it to change to context for the sshd process.

Quote:
[root@localhost ~]#setenforce 0
[root@localhost ~]# ./test
[root@localhost root]# id -Z
system_u:system_r:sshd_t:s0-s0:c0.c1023
And this proves it. The id -Z shows that the context was changed for the root user and not the sshd process. Since you restarts the sshd process as the changed root user, then the sshd process was started with the changed context, as would ANY OTHER PROCESS that root starts.

You have effectively hosed SELinux context for everything root does.
Reply With Quote
Reply

Tags
invalid context, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH unable to get context for username leeatnwi Servers & Networking 5 14th July 2010 10:25 AM
Context.xml tariqtariq Servers & Networking 1 5th July 2005 10:43 PM
Unable to create files when using "context"option for NFS lobotomy Security and Privacy 0 28th May 2005 12:15 AM
Samba Valid Users Not Valid budds Servers & Networking 1 10th January 2005 06:22 AM


Current GMT-time: 09:11 (Friday, 31-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Arcot Photos - Eccles Travel Photos - Collegno Instagram Photos