[refpolicy] Problem with chroot login on a RHEL6 Selinux system

[mgrepl@redhat.com (Miroslav Grepl)]

On 04/24/2013 12:30 AM, Garey Mills wrote:
> Hello -
>
>       I am experiencing the following problem with Selinux on a RHEL6
> system:
>
>       I am trying to set up a chrooted user. I edited sshd_config to
> contain the lines
>
> Match User physics
>           ChrootDirectory /chrootAccounts/physics
>          X11Forwarding no
>          AllowTcpForwarding no
>
> I created a user named 'physics' with the home directory of
> /chrootAccounts/physics and constructed a chroot jail consisting of the
> directory /chrootAccounts and the requisite bin, dev and lib directories.
>
>       I then tried to log in. This generated a number of 'avc' errors
> which I dealt with using 'audit2allow' utility. At the end of this
> process I ended up with the following error message that will not clear:
>
> Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
> avc:  denied  { transition } for pid=4852 comm="sshd" path="/bin/sh"
> dev=sda3 ino=524299
> scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> Trying to solve this by going to Google, I found that this problem (that
> 'chroot_user_t' cannot 'transition' to the sh process) had been solved
> and patches submitted on a Debian Selinux list, but apparently not in
> RHEL6.
>
>       Does anyone know a solution to this that could be applied by
> someone who knows how to use audit2allow but not much else about Selinux?
>
Garey,
could you forward the message to selinux at lists.fedoraproject.org and we 
can discuss it here.

Thank you.
Regards,
Miroslav