[refpolicy] Problem with chroot login on a RHEL6 Selinux system

All of lore.kernel.org
 help / color / mirror / Atom feed

From: gmills@library.berkeley.edu (Garey Mills)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Problem with chroot login on a RHEL6 Selinux system
Date: Tue, 23 Apr 2013 15:30:38 -0700	[thread overview]
Message-ID: <51770B8E.5060803@library.berkeley.edu> (raw)

Hello -

     I am experiencing the following problem with Selinux on a RHEL6 
system:

     I am trying to set up a chrooted user. I edited sshd_config to 
contain the lines

Match User physics
         ChrootDirectory /chrootAccounts/physics
        X11Forwarding no
        AllowTcpForwarding no

I created a user named 'physics' with the home directory of 
/chrootAccounts/physics and constructed a chroot jail consisting of the 
directory /chrootAccounts and the requisite bin, dev and lib directories.

     I then tried to log in. This generated a number of 'avc' errors 
which I dealt with using 'audit2allow' utility. At the end of this 
process I ended up with the following error message that will not clear:

Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143): 
avc:  denied  { transition } for pid=4852 comm="sshd" path="/bin/sh" 
dev=sda3 ino=524299 
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=process

Trying to solve this by going to Google, I found that this problem (that 
'chroot_user_t' cannot 'transition' to the sh process) had been solved 
and patches submitted on a Debian Selinux list, but apparently not in 
RHEL6.

     Does anyone know a solution to this that could be applied by 
someone who knows how to use audit2allow but not much else about Selinux?

-- 
Garey Mills
Library Systems Office
UC Berkeley

next             reply	other threads:[~2013-04-23 22:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-23 22:30 Garey Mills [this message]
2013-04-24 20:21 ` [refpolicy] Problem with chroot login on a RHEL6 Selinux system Dominick Grift
2013-04-25 13:11 ` Miroslav Grepl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51770B8E.5060803@library.berkeley.edu \
    --to=gmills@library.berkeley.edu \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.