CentOS-6.6
We have sshd chroot working, mostly, for a particular groupid. However, we have two things that remain u/s, no doubt due to some omission on my part.
Basically, we would like our users to be able to tunnel their https over the ssh connection to this server and be able to do X11 forwarding as well. At the moment both work when the user connects without chroot and neither works if they are chroot, even when the chroot directory is the actual system /.
The Match statements are:
Match Group wheel AllowTcpForwarding yes ChrootDirectory / PermitOpen any X11Forwarding yes X11UseLocalhost no
Match Group !wheel,sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
There are SELinux issues:
/var/log/messages
Jul 9 09:22:43 inet02 setroubleshoot: SELinux is preventing /usr/sbin/sshd from create access on the udp_socket . For complete SELinux messages. run sealert -l 91eae747-73dc-43d8-8af9-0601e726f233
Jul 9 09:22:43 inet02 setroubleshoot: SELinux is preventing /usr/sbin/sshd from create access on the tcp_socket . For complete SELinux messages. run sealert -l c5d4049e-cffb-4cfb-a243-135c7b297e8b
Jul 9 09:22:44 inet02 setroubleshoot: SELinux is preventing /usr/sbin/sshd from open access on the chr_file 5. For complete SELinux messages. run sealert -l d77a3254-8aba-4a13-bd78-0bcf14e67035
/var/log/secure
Jul 9 09:22:34 inet02 sshd[17681]: error: socket: Permission denied
Jul 9 09:22:34 inet02 sshd[17684]: error: /dev/pts/5: Permission denied
# grep sshd /var/log/audit/audit.log | audit2allow
#============= chroot_user_t ==============
#!!!! This avc is allowed in the current policy allow chroot_user_t admin_home_t:dir search;
#!!!! This avc is allowed in the current policy allow chroot_user_t net_conf_t:file read; allow chroot_user_t self:netlink_route_socket create; allow chroot_user_t self:tcp_socket create; allow chroot_user_t self:udp_socket create; allow chroot_user_t user_devpts_t:chr_file open; allow chroot_user_t user_home_t:chr_file { read write };
#!!!! This avc is allowed in the current policy allow chroot_user_t xauth_exec_t:file getattr;
#============= xauth_t ============== allow xauth_t chroot_user_t:process sigchld;
# getsebool -a | grep ssh
allow_ssh_keysign --> off fenced_can_ssh --> off ssh_chroot_full_access --> on ssh_chroot_manage_apache_content --> off ssh_chroot_rw_homedirs --> on ssh_sysadm_login --> off
These are definitely involved with the X11 forwarding issue because if I use: setenforce Permissive then gvim works for a chrooted session. However, when setenforce Enforcing is set then gvim fails with: 'E233: cannot open display'.
I have not tried the https tunnelling without SELinux but I suspect that the problem is similar if not identical.
Do I generate a custom policy or are there some other SSH/SELinux settings that I am missing?