[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.

Wed Feb 3 16:01:33 UTC 2010
Dale Dellutri <daledellutri at gmail.com>

On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne <byrnejb at harte-lyne.ca>wrote:

>
> On Wed, February 3, 2010 09:48, Ned Slider wrote:
> > James B. Byrne wrote:
> >> Note: I am digest subscriber so if you could copy me directly on
> >> any reply to the list I would appreciate it very much.
> >>
> >
> > <snip>
> >
> >>  After a modest amount of research we decided that the
> >> best answer was to use a more recent version of OpenSSH
> >> (5.3p1)that supports chroot as a configurable option.
> >>
> >
> > I've not tested it, but I believe the chroot stuff was backported
> > some while ago:
> >
>
> Thank you very much for the information for I was not aware of this.
>
> Unfortunately, having tested the CentOS stock sshd server I discover
> that this back-port is very similar to that of the sftponly hack of
> several years ago.  It is not the configurable chroot of
> OpenSSH-5.3.  To begin with, it very much appears from the
> documentation as if this is an all or nothing setting; if it is on
> then all ssh users are chrooted. Further, to use this feature with
> interactive sessions one must copy all of the requisite system
> utilities into directories under the chroot directory.
>
> (For an interactive session this requires at least a shell,
> typically sh(1), and basic /dev nodes such as null(4), zero(4),
> stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)
>
> This is not a viable alternative since the system is remotely managed.
>

You mention two problems:
 1. "all or nothing setting"
  2. "copy all of the requisite system utilities"

As for #1, you could run two separate SSH daemons (using different
ports), so that only 1 has the chroot option.  Here's a discussion about
how to run two separate SSH daemons:
  http://www.DaleDellutri.com/prog.html

As for #2, I don't understand how the fact that the system is remotely
managed makes copying the files "not a viable alternative".  Do you
not have root access to the server?  (I'm not criticising, I simply don't
understand.)


> So, I am left still seeking answers to my original questions.
>
> 1. Is it possible to mount the selinux filesystem twice on the same
> host having different roots?
>
> 2. If so, then how is this accomplished?
>
> 3. If not, then is there anything else that I can do, besides
> disabling selinux support in the sshd daemon, to get OpenSSH-5.3
> chroot to work with SELinux?
>

I am also interested in the answers to these questions.

-- 
Dale Dellutri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20100203/ea6e058f/attachment-0005.html>