openssh-5.3p1 chroot selinux error on CentOS-5.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I built and installed openssh-5.3p1 on an x86_64 host running
CentOs-5.4.  These are the build options:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

OpenSSH has been configured with the following options:
                     User binaries: /opt/bin
                   System binaries: /opt/sbin
               Configuration files: /opt/etc
                   Askpass program: /opt/libexec/ssh-askpass
                      Manual pages: /opt/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: yes
                 Smartcard support: no
                     S/KEY support: no
              TCP Wrappers support: yes
              MD5 password support: yes
                   libedit support: yes
  Solaris process contract support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: x86_64-unknown-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security
-fno-builtin-memset
-fstack-protector-all -std=gnu99
Preprocessor flags:
      Linker flags:  -fstack-protector-all
         Libraries: -lcrypto -lutil -lz -lnsl  -lcrypt -lresolv
         +for sshd:  -lwrap -lpam -ldl -lselinux


I have also set up a chroot environment.  When I attempt to logon
via sftp then I see this:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

My sestatus on this host is:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

I searched for this error and found a number of hits specific to
various distributions.  I found one thread that said the following:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/237557

i am using openssh with libpam_chroot to have a chrooted login but
following error message denies access for chrooted uses

sshd[14644]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed

.  .  .

This fix is in OpenSSH 4.9p1



I am not sure that this is exactly what I am encountering.  I am
using the following sshd_config directives to define the chroot
environment:

# These lines must appear at the *end* of sshd_config
Match Group sshchroot
  AllowTcpForwarding no
  ChrootDirectory /var/data/%h
  ForceCommand internal-sftp

Have I a misconfiguration problem or is this a bug?

I have read that I can avoid this by building openssh without the
selinux option.  I am not certain that this is the best way to go
however.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3
[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux