need howto for SELinux config--ssh on non-standard port

John Poelstra poelstra at redhat.com
Mon Jan 25 04:11:03 UTC 2010 

Daniel J Walsh said the following on 01/21/2010 05:05 AM Pacific Time:
> On 01/20/2010 11:35 PM, John Poelstra wrote:
>>
>> Where else should I be looking?
>>
>> It is very clear that I can log in remotely on the non-standard port w/
>> selinux disabled and that it will not work when selinux is enabled.
>>
>> John
> ausearch -m avc -ts today
>
> Should show you all of the AVC messages that you received today.  If you are using auditing.
>
> ausearch -m avc
>
> Will show you all avc's that your system has logged
>
> ausearch -m avc | audit2allow
>
> Will give you the audit rules.
>
> If you have been in permissive mode for a while, the log messages might have disappeared.
>
> setenforce 1
> setenforce 0
>
> Will cause avc messages to show up again.

The root of the problem seems to be that there are no AVC messages.  All 
of our previous discussion has centered around creating a new policy for 
them so it appears I need a different fix?

I do see these errors in /var/log/secure on the server, but that is all.

Jan 24 19:50:47 localhost sshd[1150]: Server listening on 0.0.0.0 port 
63000.
Jan 24 19:50:47 localhost sshd[1150]: Server listening on :: port 63000.
Jan 24 19:50:54 localhost sshd[1151]: Accepted publickey for jp from 
192.168.122.1 port 45292 ssh2
Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): 
conversation failed
Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): No 
response to query: Would you like to enter a security context? [N]
Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): Unable 
to get valid context for jp
Jan 24 19:50:54 localhost sshd[1151]: pam_unix(sshd:session): session 
opened for user jp by (uid=0)
Jan 24 19:50:54 localhost sshd[1151]: error: PAM: pam_open_session(): 
Authentication failure
Jan 24 19:50:54 localhost sshd[1151]: error: ssh_selinux_setup_pty: 
security_compute_relabel: Invalid argument

---------------------------------
Here is what hits /var/log/audit/audit.log

type=USER_ACCT msg=audit(1264392255.965:73): user pid=1253 uid=0 auid=0 
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:accounting acct="jp" exe="/usr/sbin/sshd" 
hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1264392255.995:74): user pid=1253 uid=0 auid=0 
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" 
hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
type=LOGIN msg=audit(1264392255.996:75): login pid=1253 uid=0 old auid=0 
new auid=500 old ses=3 new ses=8
type=USER_START msg=audit(1264392256.118:76): user pid=1253 uid=0 
auid=500 ses=8 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:session_open acct="jp" exe="/usr/sbin/sshd" 
hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=failed'
type=CRED_ACQ msg=audit(1264392256.125:77): user pid=1256 uid=0 auid=500 
ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" 
hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1264392256.130:78): user pid=1253 uid=0 
auid=500 ses=8 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='uid=500: 
exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 
terminal=/dev/pts/2 res=success'
type=CRED_DISP msg=audit(1264392256.143:79): user pid=1253 uid=0 
auid=500 ses=8 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" 
hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'

---------------------------------


 From the remote host it appears that a connection is made and then 
immediately closed.

$ ssh -p 63000 jp at 192.168.122.214
Last login: Sun Jan 24 19:50:54 2010 from 192.168.122.1
Connection to 192.168.122.214 closed.

-------------------------------

I'm attaching my sshd config file if you want to try this out.  As the 
config file shows, I'm using a preshared public key and password use is 
disabled as is root login.  Run it by:
# /usr/sbin/sshd -f sshd_config

If I disable selinux with setenforce 0, login works fine.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sshd_config
Url: http://lists.fedoraproject.org/pipermail/users/attachments/20100124/fb76fc4e/attachment.pl

More information about the users mailing list