Currently I have a RH6.1 host with selinux enabled On this I am running a LXC container with ubuntu (without selinux) with OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 when I try to do a ssh connection to the lxc container I get : ... debug1: Next authentication method: password root at 192.168.2.11's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: channel 0: free: client-session, nchannels 1 Connection to 192.168.2.11 closed by remote host. Connection to 192.168.2.11 closed. Transferred: sent 1728, received 1784 bytes, in 0.1 seconds Bytes per second: sent 16426.3, received 16958.6 debug1: Exit status -1 Inside the container I can see an error in the auth.log: Oct 24 11:14:11 art01 sshd[1703]: pam_unix(sshd:session): session opened for user root by (uid=0) Oct 24 11:14:11 art01 sshd[1703]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed Oct 24 11:14:11 art01 sshd[1703]: pam_unix(sshd:session): session closed for user root Now I assume I have a problem because inside the container selinux is disabled... If so, is there a way to tell the sshd inside the container to ignore the selinux check.... Hans
On 24/10/11 10:38 PM, Hans Harder wrote:> Currently I have a RH6.1 host with selinux enabled > On this I am running a LXC container with ubuntu (without selinux) with > OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009[...]> Now I assume I have a problem because inside the container selinux is > disabled... > If so, is there a way to tell the sshd inside the container to ignore > the selinux check....sshd has no knobs for this. The code in openbsd-compat/port-linux.c looks roughly like this (assuming it's not been changed by debian or ubuntu): r = get_default_context(sename, NULL, &sc); if (r != 0) { switch (security_getenforce()) { case -1: fatal("%s: ssh_selinux_getctxbyname: " "security_getenforce() failed", __func__); so if you could get get_default_context() to return zero then it won't fatal out, but I don't know enough selinux and/or lxc to know if that's possible. Failing that, you'd probably have to hack sshd. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Possibly Parallel Threads
- OpenSSH + chroot + SELinux = broke
- OpenSSH-5.3p1 selinux problem on CentOS-5.4.
- [Bug 1960] New: Running sshd in wrong SELinux context causes segmentation fault when a user logs in
- ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
- [Bug 1325] New: SELinux support broken when SELinux is in permissive mode