Re: selinux problems connecting with a chroot user to a RHEL6 system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/26/2013 12:41 AM, Garey Mills wrote:
Hello -

      I am experiencing the following problem with Selinux on a RHEL6
system:

      I am trying to set up a chrooted user. I edited sshd_config to
contain the lines

Match User physics
          ChrootDirectory /chrootAccounts/physics
         X11Forwarding no
         AllowTcpForwarding no

I created a user named 'physics' with the home directory of
/chrootAccounts/physics and constructed a chroot jail consisting of the
directory /chrootAccounts and the requisite bin, dev and lib directories.

If I disable selinux, I can log in.

I enabled selinux and then tried to log in. This generated a number of 'avc' errors
which I dealt with using 'audit2allow' utility. At the end of this
process I ended up with the following error message that will not clear:

Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
avc:  denied  { transition } for pid=4852 comm="sshd" path="/bin/sh"
dev=sda3 ino=524299
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process

Trying to solve this by going to Google, I found that this problem (that
'chroot_user_t' cannot 'transition' to the sh process) had been solved
and patches submitted on a Debian Selinux list, but apparently not in
RHEL6.

      Does anyone know a solution to this that could be applied by
someone who knows how to use audit2allow but not much else about Selinux?

rpm -q selinux-policy openssh
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux