On Wed, February 3, 2010 09:48, Ned Slider wrote: > James B. Byrne wrote: >> Note: I am digest subscriber so if you could copy me directly on >> any reply to the list I would appreciate it very much. >> > > <snip> > >> After a modest amount of research we decided that the >> best answer was to use a more recent version of OpenSSH >> (5.3p1)that supports chroot as a configurable option. >> > > I've not tested it, but I believe the chroot stuff was backported > some while ago: > Thank you very much for the information for I was not aware of this. Unfortunately, having tested the CentOS stock sshd server I discover that this back-port is very similar to that of the sftponly hack of several years ago. It is not the configurable chroot of OpenSSH-5.3. To begin with, it very much appears from the documentation as if this is an all or nothing setting; if it is on then all ssh users are chrooted. Further, to use this feature with interactive sessions one must copy all of the requisite system utilities into directories under the chroot directory. (For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.) This is not a viable alternative since the system is remotely managed. So, I am left still seeking answers to my original questions. 1. Is it possible to mount the selinux filesystem twice on the same host having different roots? 2. If so, then how is this accomplished? 3. If not, then is there anything else that I can do, besides disabling selinux support in the sshd daemon, to get OpenSSH-5.3 chroot to work with SELinux? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3