1.4 2004-11-16
Begin Here

You must be in sysadm_r to perform these actions.

Run sestatus -v. Click the first context that doesn't match:

Init contextsystem_u:system_r:init_t/usr/sbin/sshdsystem_u:system_r:sshd_t/sbin/unix_chkpwdsystem_u:object_r:chkpwd_exec_t/etc/passwdsystem_u:object_r:etc_t/etc/shadowsystem_u:object_r:shadow_t/bin/bashsystem_u:object_r:shell_exec_t
ProcessContext
FileContext
Incorrect Init Context Verify Init Label

There are several possible reasons why init may have the wrong context. First, verify that init is labeled correctly, refer to the sestatus's output for /sbin/init. If it is not system_u:object_r:init_exec_t, relabel sysvinit. 

# rlpkg sysvinit
Verify Available Policy

You must be in sysadm_r to perform this action.

A binary policy must be available in /etc/selinux/{strict,targeted}/policy. If it is missing, then install the policy. 

# semodule -n -B
Verify Init Can Load the Policy

The final check is to ensure init can load the policy. Run ldd on init, and if libselinux is not in the output, remerge sysvinit. 

# ldd /sbin/init
  linux-gate.so.1 =>  (0xffffe000)
  libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)
  libc.so.6 => /lib/libc.so.6 (0x40035000)
  /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

Now reboot so init gains the correct context, and loads the policy.

Incorrect sshd Context

Another possibility is sshd is not labeled correctly, meaning it is not running in the right context. Relabel openssh, then restart sshd. 

# rlpkg openssh
# /etc/init.d/sshd restart
Incorrect PAM Context

Sshd must be able to use PAM for authenticating the user. The PAM password checking program (/sbin/unix_chkpwd) must be labeled correctly so sshd can transition to the password checking context. Relabel PAM. 

# rlpkg pam

The password checking program should now be system_u:object_r:chkpwd_exec_t. Try loggin in again.

Incorrect Password File Contexts

The password file (/etc/passwd), and the shadow file (/etc/shadow) must be labeled correctly, otherwise PAM will not be able to authenticate your user. Relabel the files. 

# restorecon /etc/passwd /etc/shadow

The password and shadow files should now be system_u:object_r:etc_t and system_u:object_r:shadow_t, respectively. Try logging in again.

Incorrect Bash File Context

Bash must be labeled correctly so the user can transition into the user domain when logging in. Relabel bash. 

# rlpkg bash

Bash (/bin/bash) should now be system_u:object_r:shell_exec_t. Try logging in again.

Other sshd Issues Valid Shell

First, make sure the user has a valid shell. 

# grep username /etc/passwd | cut -d: -f7
/bin/bash (or your shell of choice)

If the above command does not return anything, or the shell is wrong, set the user's shell. 

# usermod -s /bin/bash username
PAM enabled

PAM also must be enabled in sshd. Make sure this line in /etc/ssh/sshd_config is uncommented: 

UsePAM yes

SELinux currently only allows PAM and a select few programs direct access to /etc/shadow; therefore, openssh must now use PAM for password authentication (public key still works).