From mboxrd@z Thu Jan  1 00:00:00 1970
From: mgrepl@redhat.com (Miroslav Grepl)
Date: Thu, 25 Apr 2013 15:11:12 +0200
Subject: [refpolicy] Problem with chroot login on a RHEL6 Selinux system
In-Reply-To: <51770B8E.5060803@library.berkeley.edu>
References: <51770B8E.5060803@library.berkeley.edu>
Message-ID: <51792B70.1020907@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/24/2013 12:30 AM, Garey Mills wrote:
> Hello -
>
>       I am experiencing the following problem with Selinux on a RHEL6
> system:
>
>       I am trying to set up a chrooted user. I edited sshd_config to
> contain the lines
>
> Match User physics
>           ChrootDirectory /chrootAccounts/physics
>          X11Forwarding no
>          AllowTcpForwarding no
>
> I created a user named 'physics' with the home directory of
> /chrootAccounts/physics and constructed a chroot jail consisting of the
> directory /chrootAccounts and the requisite bin, dev and lib directories.
>
>       I then tried to log in. This generated a number of 'avc' errors
> which I dealt with using 'audit2allow' utility. At the end of this
> process I ended up with the following error message that will not clear:
>
> Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
> avc:  denied  { transition } for pid=4852 comm="sshd" path="/bin/sh"
> dev=sda3 ino=524299
> scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> Trying to solve this by going to Google, I found that this problem (that
> 'chroot_user_t' cannot 'transition' to the sh process) had been solved
> and patches submitted on a Debian Selinux list, but apparently not in
> RHEL6.
>
>       Does anyone know a solution to this that could be applied by
> someone who knows how to use audit2allow but not much else about Selinux?
>
Garey,
could you forward the message to selinux at lists.fedoraproject.org and we 
can discuss it here.

Thank you.
Regards,
Miroslav