selinux mls ssh getting denied dyntransition – login failure

Joeg1484 asked:

I am trying to learn SELinux and going though the Red Hat documentation for RHEL 7. I came upon the documentation for Multi Layer Security (MLS) and wanted to try it, so I set SELINUXTYPE=mls and SELINUX=permissive , touched /.autorelabel (echoed an -F into it) and rebooted.

I was able to log in, but wanted to check the audit log to make sure no failure or denials happen that would prevent me from logging in using enforcing mode. I found the following:

type=AVC msg=audit(1457127380.826:208): avc:  denied  { dyntransition } for      pid=2109 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0 tclass=process

So, I figured that was nothing to worry about (Still learning), so i set SELINUX to enforcing and rebooted. Locked myself out!

I was able to get back in with some hacking and set SELINUX back to permissive, but I am not sure why its not working…

I have tried to restorecon /usr/sbin/sshd and it does have the correct context:

ls -Z /usr/sbin/sshd
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd

But if you look at the tcontect in the error its strange:

 tcontext=root:sysadm_r:sysadm_t:s0 

Anyway, as I stated, I am still learning, so any advice would be helpful… Documentation to explain any examples or solutions would be greatly appreciated – “Teach a man to fish…”

Thanks so much!
Joe

My answer:


It looks like root is not allowed to login directly via ssh on an MLS system.

You will need to ssh in as a staff_t user and then sudo to root.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.