[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.

James B. Byrne byrnejb at harte-lyne.ca
Thu Feb 4 17:58:49 UTC 2010 

On Thu, February 4, 2010 05:28, Radu Radutiu wrote:
> Just for the reference if you want to keep SELINUX enabled and
> create a new instance of sshd (with the stock CentOS 5.4 sshd)
> with sftp only you can do the following:
>
> -create a copy of /etc/ssh/sshd_config e.g.
> cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
>
> -chage /add the following lines in sftpd_config
> Port 1234
> ChrootDirectory %h
> Subsystem	sftp	internal-sftp
> AllowUsers externaluser
>
>
> -let SELINUX know that port 1234 (or whatever you put in your
> sftpd_config)  is of type ssh_port_t
>
> semanage port -a -t ssh_port_t -p tcp -n 1234
>
> -make sure that the sftp user's home directory respects the
> requirements of ChrootDirectory sshd_config directive :  This path,
> and all its components, must be root-owned directories that are not
> writable by any other user or group. For file transfer sessions
> using
> “sftp”, no additional configuration of the environment is
> necessary if
> the in-process sftp server is used
> chown root  /home/externaluser
> chmod g-w /home/externaluser
>
> -create a directory in which externaluser will be able to write
> mkdir /home/externaluser/upload
> chown externaluser /home/externaluser/upload
>
> - create a copy of /etc/init.d/sshd init script
> cp /etc/init.d/sshd /etc/init.d/sftpd
> - modify it to reflect the sftpd_config config file and a new pid
> file
> - make it start automatically
> chkconfig sftpd --add sftp
>
> Radu
>
>

Thank you for that.  I did much the same as you suggest but, in the
end, decided to just run the 5.3 sshd instead.  I have set SELinix
to enforcing on that host and sshd seems to work as expected.  I
cannot tell what the --with-selinux compiler switch is meant to do.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the CentOS mailing list