[redhat-lspp] Problem SSH-ing into LSPP system with multiple categories

Tomas Mraz tmraz at redhat.com
Fri Jan 26 21:10:36 UTC 2007 

On Fri, 2007-01-26 at 12:46 -0800, Kylene Jo Hall wrote:
> I couldn't find anything in /var/log/secure but here is what was
> in /var/log/messages from the following attempts:
> ssh testuser/user_r/s2:c0.c1 at localhost
> ssh testuser/user_r/s2:c0,c1 at localhost
> ssh testuser/user_r/s2:c0-c1 at localhost
> 
> Jan 26 14:41:40 rheal3a sshd[2646]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39420 ssh2
> Jan 26 14:41:44 rheal3a sshd[2646]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 420 ssh2
> Jan 26 14:41:44 rheal3a sshd[2645]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 20 ssh2
> Jan 26 14:41:44 rheal3a sshd[2645]: fatal: deny MLS level s2:c0,c1 (user
> range s0-s15:c0.c1023)
> Jan 26 14:42:11 rheal3a sshd[2653]: Connection from 127.0.0.1 port 39421
> Jan 26 14:42:11 rheal3a sshd[2654]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39421 ssh2
> Jan 26 14:42:15 rheal3a sshd[2654]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 421 ssh2
> Jan 26 14:42:15 rheal3a sshd[2653]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 21 ssh2
> Jan 26 14:42:15 rheal3a sshd[2653]: fatal: Failed to get default
> security context for testuser.
> Jan 26 14:43:35 rheal3a sshd[2662]: Connection from 127.0.0.1 port 39422
> Jan 26 14:43:35 rheal3a sshd[2663]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39422 ssh2
> Jan 26 14:43:39 rheal3a sshd[2663]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 422 ssh2
> Jan 26 14:43:39 rheal3a sshd[2662]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 22 ssh2
> Jan 26 14:43:39 rheal3a sshd[2662]: fatal: deny MLS level s2:c0.c1 (user
> range s0-s15:c0.c1023)
> Jan 26 14:44:30 rheal3a sshd[2670]: Connection from 127.0.0.1 port 39423
> Jan 26 14:44:31 rheal3a sshd[2671]: Postponed keyboard-interactive for
> testuser from 127.0.0.1 port 39423 ssh2
> Jan 26 14:44:34 rheal3a sshd[2671]: Postponed keyboard-interactive/pam
> for testuser from 127.0.0.1 port 39 423 ssh2
> Jan 26 14:44:34 rheal3a sshd[2670]: Accepted keyboard-interactive/pam
> for testuser from 127.0.0.1 port 394 23 ssh2
> Jan 26 14:44:34 rheal3a sshd[2670]: fatal: Failed to get default
> security context for testuser.

It seems that s2:c0,c1 and s2:c0.c1 logins are denied by policy. I don't
know why the s2:c0-c1 case fails on getting the default context - seems
like s2:c0-c1 is not a valid context.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the redhat-lspp mailing list