I run a sshd host solely to allow employees to tunnel secure connections to our internal hosts. Some of which do not support encrypted protocols. These connections are chroot'ed via the following in /etc/ssh/sshd_config
Match Group !wheel,!xxxxxx,yyyyy AllowTcpForwarding yes ChrootDirectory /home/yyyyy X11Forwarding yes
Where external users belong to group yyyyy (primary).
We have a problem with SELinux in that chrooted users cannot tunnel https requests unless SELinux is set to permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted.
The output from audit2allow is this:
sudo audit2allow -l -a
#============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open;
#============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t
allow syslogd_t user_home_t:dir write;
My questions are:
Do SE booleans settings exist that permit chrooted ssh access to forward https and log the activity? If so then what are they?
If not, then have I made a configuration error in sshd_config? What is it?
If not, then is this a defect in the SELinux policy?
If not, then What are the implications of creating a custom policy to handle this using the output given above?