* [refpolicy] Problem with chroot login on a RHEL6 Selinux system
@ 2013-04-23 22:30 Garey Mills
2013-04-24 20:21 ` Dominick Grift
2013-04-25 13:11 ` Miroslav Grepl
0 siblings, 2 replies; 3+ messages in thread
From: Garey Mills @ 2013-04-23 22:30 UTC (permalink / raw)
To: refpolicy
Hello -
I am experiencing the following problem with Selinux on a RHEL6
system:
I am trying to set up a chrooted user. I edited sshd_config to
contain the lines
Match User physics
ChrootDirectory /chrootAccounts/physics
X11Forwarding no
AllowTcpForwarding no
I created a user named 'physics' with the home directory of
/chrootAccounts/physics and constructed a chroot jail consisting of the
directory /chrootAccounts and the requisite bin, dev and lib directories.
I then tried to log in. This generated a number of 'avc' errors
which I dealt with using 'audit2allow' utility. At the end of this
process I ended up with the following error message that will not clear:
Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
avc: denied { transition } for pid=4852 comm="sshd" path="/bin/sh"
dev=sda3 ino=524299
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
Trying to solve this by going to Google, I found that this problem (that
'chroot_user_t' cannot 'transition' to the sh process) had been solved
and patches submitted on a Debian Selinux list, but apparently not in
RHEL6.
Does anyone know a solution to this that could be applied by
someone who knows how to use audit2allow but not much else about Selinux?
--
Garey Mills
Library Systems Office
UC Berkeley
^ permalink raw reply [flat|nested] 3+ messages in thread* [refpolicy] Problem with chroot login on a RHEL6 Selinux system
2013-04-23 22:30 [refpolicy] Problem with chroot login on a RHEL6 Selinux system Garey Mills
@ 2013-04-24 20:21 ` Dominick Grift
2013-04-25 13:11 ` Miroslav Grepl
1 sibling, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2013-04-24 20:21 UTC (permalink / raw)
To: refpolicy
On Tue, 2013-04-23 at 15:30 -0700, Garey Mills wrote:
> Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
> avc: denied { transition } for pid=4852 comm="sshd" path="/bin/sh"
> dev=sda3 ino=524299
> scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> Trying to solve this by going to Google, I found that this problem (that
> 'chroot_user_t' cannot 'transition' to the sh process) had been solved
> and patches submitted on a Debian Selinux list, but apparently not in
> RHEL6.
>
> Does anyone know a solution to this that could be applied by
> someone who knows how to use audit2allow but not much else about Selinux?
>
Hmm, i remember that i encountered this issue as well and i also thought
that i brought the issue to the fedora list but i cannot find any
related mails so maybe i am just mistaken.
I also do not remember how i solved this issue, other than that i
decided to just map the user account to guest_u and that now the
sftpchrootuser logs in a guest_u. I seem to have not added any custom
policy with regard to this although i do seem to have some related
booleans set like: setsebool -P selinuxuser_use_ssh_chroot on
Not sure if that fixed it for me unfortunately.
^ permalink raw reply [flat|nested] 3+ messages in thread* [refpolicy] Problem with chroot login on a RHEL6 Selinux system
2013-04-23 22:30 [refpolicy] Problem with chroot login on a RHEL6 Selinux system Garey Mills
2013-04-24 20:21 ` Dominick Grift
@ 2013-04-25 13:11 ` Miroslav Grepl
1 sibling, 0 replies; 3+ messages in thread
From: Miroslav Grepl @ 2013-04-25 13:11 UTC (permalink / raw)
To: refpolicy
On 04/24/2013 12:30 AM, Garey Mills wrote:
> Hello -
>
> I am experiencing the following problem with Selinux on a RHEL6
> system:
>
> I am trying to set up a chrooted user. I edited sshd_config to
> contain the lines
>
> Match User physics
> ChrootDirectory /chrootAccounts/physics
> X11Forwarding no
> AllowTcpForwarding no
>
> I created a user named 'physics' with the home directory of
> /chrootAccounts/physics and constructed a chroot jail consisting of the
> directory /chrootAccounts and the requisite bin, dev and lib directories.
>
> I then tried to log in. This generated a number of 'avc' errors
> which I dealt with using 'audit2allow' utility. At the end of this
> process I ended up with the following error message that will not clear:
>
> Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
> avc: denied { transition } for pid=4852 comm="sshd" path="/bin/sh"
> dev=sda3 ino=524299
> scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> Trying to solve this by going to Google, I found that this problem (that
> 'chroot_user_t' cannot 'transition' to the sh process) had been solved
> and patches submitted on a Debian Selinux list, but apparently not in
> RHEL6.
>
> Does anyone know a solution to this that could be applied by
> someone who knows how to use audit2allow but not much else about Selinux?
>
Garey,
could you forward the message to selinux at lists.fedoraproject.org and we
can discuss it here.
Thank you.
Regards,
Miroslav
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-04-25 13:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-23 22:30 [refpolicy] Problem with chroot login on a RHEL6 Selinux system Garey Mills
2013-04-24 20:21 ` Dominick Grift
2013-04-25 13:11 ` Miroslav Grepl
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.