Re: [CentOS] CentOS-6 SSHD chroot SELinux problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

James,

   I don't have an answer, but you'll note that I replied to both the
CentOS list, and the more appropriate selinux list. Folks like Dan
Walsh are responders there.

       mark

James B. Byrne wrote:
> I run a sshd host solely to allow employees to tunnel secure
> connections to our internal hosts. Some of which do not support
> encrypted protocols.  These connections are chroot'ed via the
> following in /etc/ssh/sshd_config
>
> Match Group !wheel,!xxxxxx,yyyyy
>     AllowTcpForwarding yes
>     ChrootDirectory /home/yyyyy
>     X11Forwarding yes
>
> Where external users belong to group yyyyy (primary).
>
> We have a problem with SELinux in that chrooted users cannot tunnel
> https requests unless SELinux is set to permissive (or turned off
> altogether).  This problem does not evidence itself unless the account
> is chrooted.
>
> The output from audit2allow is this:
>
> sudo audit2allow -l -a
>
>
> #============= chroot_user_t ==============
> allow chroot_user_t cyphesis_port_t:tcp_socket name_connect;
> allow chroot_user_t user_home_t:chr_file open;
>
> #============= syslogd_t ==============
> #!!!! The source type 'syslogd_t' can write to a 'dir' of the
> following types:
> # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t,
> syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile,
> cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t,
> cluster_conf_t, tmp_t
>
> allow syslogd_t user_home_t:dir write;
>
>
> My questions are:
>
> Do SE booleans settings exist that permit chrooted ssh access to
> forward https and log the activity?  If so then what are they?
>
> If not, then have I made a configuration error in sshd_config?  What
> is it?
>
> If not, then is this a defect in the SELinux policy?
>
> If not, then What are the implications of creating a custom policy to
> handle this using the output given above?
>
>
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
> James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux