Package: openssh-server Version: 1:6.4p1-2 Severity: normal Bonjour,
I have enabled SELinux in permissive mode. When I connect and logoff, I get the following lines in auth.log: Jan 4 16:26:44 tc2 sshd[18138]: Accepted password for benoit from [some_ipv6_address] port 58739 ssh2 Jan 4 16:26:44 tc2 sshd[18138]: pam_unix(sshd:session): session opened for user benoit by (uid=0) Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): conversation failed Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Jan 4 16:26:44 tc2 sshd[18138]: pam_selinux(sshd:session): Unable to get valid context for benoit Jan 4 16:26:44 tc2 sshd[18140]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for benoit Jan 4 16:26:44 tc2 sshd[18138]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for benoit Jan 4 16:26:44 tc2 sshd[18138]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument Jan 4 16:26:46 tc2 sshd[18140]: Received disconnect from [some_ipv6_address] 11: disconnected by user Jan 4 16:26:46 tc2 sshd[18138]: pam_unix(sshd:session): session closed for user benoit "sestatus -v" gives (among other lines): /usr/sbin/sshd unconfined_u:system_r:sshd_t:SystemLow-SystemHigh I did not try in enforcing mode. I restart sshd with run_init: # run_init /etc/init.d/ssh restart Remote connection now leads to: Jan 4 16:27:00 tc2 sshd[18270]: Accepted password for benoit from [some_ipv6_address] port 58753 ssh2 Jan 4 16:27:00 tc2 sshd[18270]: pam_unix(sshd:session): session opened for user benoit by (uid=0) Jan 4 16:27:00 tc2 sshd[18270]: pam_selinux(sshd:session): pam: default-context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh selected-context=uncfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh success 1 Jan 4 16:27:02 tc2 sshd[18272]: Received disconnect from [some_ipv6_address] 11: disconnected by user Jan 4 16:27:02 tc2 sshd[18270]: pam_unix(sshd:session): session closed for user benoit No more error messages! "sestatus -v" gives (among other lines): /usr/sbin/sshd system_u:system_r:sshd_t:SystemLow-SystemHigh As far as I understand, this means that in order to have proper behaviour sshd should be started with something equivalent of run_init at boot time. This bug may concern boot/init packages more than openssh-server. Merci, Benoit *** End of the template - remove these lines *** -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.5 ii libc6 2.17-97 ii libcomerr2 1.42.8-1 ii libgssapi-krb5-2 1.11.3+dfsg-3+nmu1 ii libkrb5-3 1.11.3+dfsg-3+nmu1 ii libpam-modules 1.1.3-9 ii libpam-runtime 1.1.3-9 ii libpam0g 1.1.3-9 ii libselinux1 2.2.1-1 ii libssl1.0.0 1.0.1e-6 ii libwrap0 7.6.q-24 ii lsb-base 4.1+Debian12 ii openssh-client 1:6.4p1-2 ii procps 1:3.3.4-2 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages openssh-server recommends: ii ncurses-term 5.9+20130608-1 ii xauth 1:1.0.7-1 Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> ii openssh-blacklist 0.4.1+nmu1 ii openssh-blacklist-extra 0.4.1+nmu1 ii rssh 2.3.4-4 ii ssh-askpass 1:1.2.4.1-9 pn ufw <none> -- debconf information: ssh/encrypted_host_key_but_no_keygen: ssh/vulnerable_host_keys: ssh/disable_cr_auth: false * ssh/use_old_init_script: true -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
