[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.

Wed Feb 3 14:37:08 UTC 2010
James B. Byrne <byrnejb at harte-lyne.ca>

Note: I am digest subscriber so if you could copy me directly on any
reply to the list I would appreciate it very much.

I sent this to the OpenSSH list (secureshell at securityfocus.com)
yesterday and received no response so I am asking here in hopes that
someone else has run across this problem on CentOS.

We have encountered a situation that requires sftp access to one of
our server by an outside agency.  This will be used for a data push
application only and we need to secure our server from trespass via
this access.  After a modest amount of research we decided that the
best answer was to use a more recent version of OpenSSH (5.3p1)that
supports chroot as a configurable option.

I obtained the software from the openssh.org website and built it
using the libedit packages from the CentOS testing repo.  These were
the option used:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

The new server software works fine for regular ssh/sftp users.
However, when logging on as a member of the chroot group we obtain
this error:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

I have found reports of this exact error via Google in several
places dating back to 2006, but these all seem to devolve into
either: this has been fixed in version x.y.z on distribution Q,
where x.y.z is less than 5.3 and Q is not CentOS.  Or, the selinux
filesystem has to be mounted inside the chroot directory.

Since I assume the former is never going to happen for CentOS, at
least not in time to do me any good, I am looking for an explanation
of what the latter means and how it is accomplished.  Our current
SELinux status on that host is:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

Our chroot directory path is:

/var/data/sshchroot

The questions are:

1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?

2. If so, then how is this accomplished?

3. If not, then is there anything else that I can do, besides
disabling selinux support in the sshd daemon, to get this to work?

Sincerely,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3