On 10/09/2015 03:12 PM, m.roth@xxxxxxxxx wrote: > James, > > I don't have an answer, but you'll note that I replied to both the > CentOS list, and the more appropriate selinux list. Folks like Dan > Walsh are responders there. > > mark > > James B. Byrne wrote: >> I run a sshd host solely to allow employees to tunnel secure >> connections to our internal hosts. Some of which do not support >> encrypted protocols. These connections are chroot'ed via the >> following in /etc/ssh/sshd_config >> >> Match Group !wheel,!xxxxxx,yyyyy >> AllowTcpForwarding yes >> ChrootDirectory /home/yyyyy >> X11Forwarding yes >> >> Where external users belong to group yyyyy (primary). >> >> We have a problem with SELinux in that chrooted users cannot tunnel >> https requests unless SELinux is set to permissive (or turned off >> altogether). This problem does not evidence itself unless the account >> is chrooted. >> >> The output from audit2allow is this: >> >> sudo audit2allow -l -a >> >> >> #============= chroot_user_t ============== >> allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; >> allow chroot_user_t user_home_t:chr_file open; These should be a part of the policy. So you can add them to your local policy and fill a new bug. >> >> #============= syslogd_t ============== >> #!!!! The source type 'syslogd_t' can write to a 'dir' of the >> following types: >> # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, >> syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, >> cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, >> cluster_conf_t, tmp_t >> >> allow syslogd_t user_home_t:dir write; Do you have AVC msg for this one? >> >> >> My questions are: >> >> Do SE booleans settings exist that permit chrooted ssh access to >> forward https and log the activity? If so then what are they? >> >> If not, then have I made a configuration error in sshd_config? What >> is it? >> >> If not, then is this a defect in the SELinux policy? >> >> If not, then What are the implications of creating a custom policy to >> handle this using the output given above? >> >> >> >> -- >> *** e-Mail is NOT a SECURE channel *** >> Do NOT transmit sensitive data via e-Mail >> James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx >> Harte & Lyne Limited http://www.harte-lyne.ca >> 9 Brockley Drive vox: +1 905 561 1241 >> Hamilton, Ontario fax: +1 905 561 0757 >> Canada L8E 3C3 >> >> _______________________________________________ >> CentOS mailing list >> CentOS@xxxxxxxxxx >> https://lists.centos.org/mailman/listinfo/centos >> > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
