On 04/26/2013 12:41 AM, Garey Mills wrote:
Hello -
I am experiencing the following problem with Selinux on a RHEL6
system:
I am trying to set up a chrooted user. I edited sshd_config to
contain the lines
Match User physics
ChrootDirectory /chrootAccounts/physics
X11Forwarding no
AllowTcpForwarding no
I created a user named 'physics' with the home directory of
/chrootAccounts/physics and constructed a chroot jail consisting of the
directory /chrootAccounts and the requisite bin, dev and lib directories.
If I disable selinux, I can log in.
I enabled selinux and then tried to log in. This generated a
number of 'avc' errors
which I dealt with using 'audit2allow' utility. At the end of this
process I ended up with the following error message that will not clear:
Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
avc: denied { transition } for pid=4852 comm="sshd" path="/bin/sh"
dev=sda3 ino=524299
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
Trying to solve this by going to Google, I found that this problem (that
'chroot_user_t' cannot 'transition' to the sh process) had been solved
and patches submitted on a Debian Selinux list, but apparently not in
RHEL6.
Does anyone know a solution to this that could be applied by
someone who knows how to use audit2allow but not much else about Selinux?
rpm -q selinux-policy openssh
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux