I'm seeing the same thing. My ljk account is configured like your ealuser account is.
These 2 commands work: #ssh -l ljk/staff_r localhost #ssh -l ljk/sysadm_r localhost These don't: #ssh -l ljk/sysadm_r/SystemLow-SystemHigh localhost #ssh -l ljk/sysadm_r/s0-s15:c0.c1023 localhost #ssh -l ljk/sysadm_r/s0 localhost #ssh -l ljk/sysadm_r/SystemHigh localhost I see the same thing in /var/log/messages. I see nothing in /var/log/secure. This is the audit record that is generated. type=USER_ERR msg=audit(1173476295.352:1313): user pid=10706 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=failed)' -- ljk Loulwa Salem wrote: > Hi Dan, > This is more info on the problem I talked to you about on IRC. I am not > sure if I'm missing something, or it is actually a bug with the latest > packages (note, I saw this on two systems ppc and x86_64 installed fresh > with the latest) > > Description: > I have a user created on the system called ealuser, I try to login using > it as in: > ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost > The command above fails with .. > Read from remote host localhost: Connection reset by peer > Connection to localhost closed. > > I see these messages in /var/log/messages > Mar 9 10:42:03 joy-hv4 sshd[15929]: Accepted keyboard-interactive/pam > for ealuser from 127.0.0.1 port 43600 ssh2 > Mar 9 10:42:04 joy-hv4 sshd[15929]: error: deny MLS level > s0-s15:c0.c1023 (user range s0-s15:c0.c1023) > Mar 9 10:42:04 joy-hv4 sshd[15929]: error: Failed to get default > security context for ealuser. > Mar 9 10:42:04 joy-hv4 sshd[15929]: fatal: SELinux failure. Aborting > connection. > > > I am running in Enforcing and I have the ssh_sysadm_login boolean turned > on. > I am on the latest rhel code, with lspp.67 and latest packages updated > from Steve's lspp repo (policy-42, mcstrans-0.2.3-1.el5) > > > Additional Info: > ---------------- > Here is the relevant semanage user -l output > SELinux User Prefix MCS Level MCS Range SELinux Roles > staff_u staff SystemLow SystemLow-SystemHigh sysadm_r > staff_r secadm_r auditadm_r > > and the semanage login -l output > Login Name SELinux User MLS/MCS Range > ealuser staff_u SystemLow-SystemHigh > > Has anyone seen similar behavior? > > Thanks, > - Loulwa > > -- > redhat-lspp mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/redhat-lspp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
