From mboxrd@z Thu Jan  1 00:00:00 1970
From: gmills@library.berkeley.edu (Garey Mills)
Date: Tue, 23 Apr 2013 15:30:38 -0700
Subject: [refpolicy] Problem with chroot login on a RHEL6 Selinux system
Message-ID: <51770B8E.5060803@library.berkeley.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello -

     I am experiencing the following problem with Selinux on a RHEL6 
system:

     I am trying to set up a chrooted user. I edited sshd_config to 
contain the lines

Match User physics
         ChrootDirectory /chrootAccounts/physics
        X11Forwarding no
        AllowTcpForwarding no

I created a user named 'physics' with the home directory of 
/chrootAccounts/physics and constructed a chroot jail consisting of the 
directory /chrootAccounts and the requisite bin, dev and lib directories.

     I then tried to log in. This generated a number of 'avc' errors 
which I dealt with using 'audit2allow' utility. At the end of this 
process I ended up with the following error message that will not clear:

Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143): 
avc:  denied  { transition } for pid=4852 comm="sshd" path="/bin/sh" 
dev=sda3 ino=524299 
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=process

Trying to solve this by going to Google, I found that this problem (that 
'chroot_user_t' cannot 'transition' to the sh process) had been solved 
and patches submitted on a Debian Selinux list, but apparently not in 
RHEL6.

     Does anyone know a solution to this that could be applied by 
someone who knows how to use audit2allow but not much else about Selinux?

-- 
Garey Mills
Library Systems Office
UC Berkeley