I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I bet it's a smoking gun, I just have no idea what to do about it.
Sincerely yours, Vadym Chepkov
On Sun, May 31, 2009 at 08:36:29AM -0700, Vadym Chepkov wrote:
I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
also check /etc/pam.d/system-auth
On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote:
I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I bet it's a smoking gun, I just have no idea what to do about it.
Wait - that means that sshd is still trying to set up the tty label. Dan, I thought you switched to using pam_selinux instead for sshd? Why would there be both direct selinux logic in sshd and pam_selinux in /etc/pam.d/sshd?
On 06/05/2009 10:10 AM, Stephen Smalley wrote:
On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote:
I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I bet it's a smoking gun, I just have no idea what to do about it.
Wait - that means that sshd is still trying to set up the tty label. Dan, I thought you switched to using pam_selinux instead for sshd? Why would there be both direct selinux logic in sshd and pam_selinux in /etc/pam.d/sshd?
There should not be.
On Fri, 2009-06-05 at 13:09 -0400, Daniel J Walsh wrote:
On 06/05/2009 10:10 AM, Stephen Smalley wrote:
On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote:
I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble:
error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
I bet it's a smoking gun, I just have no idea what to do about it.
Wait - that means that sshd is still trying to set up the tty label. Dan, I thought you switched to using pam_selinux instead for sshd? Why would there be both direct selinux logic in sshd and pam_selinux in /etc/pam.d/sshd?
There should not be.
Some SELinux calls still have to happen from sshd directly - for example the pty relabelling, because the pty in sshd is not yet set up when the pam_selinux is called.
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Daniel J Walsh -
Stephen Smalley -
Tomas Mraz -
Vadym Chepkov