[CentOS] securing sshd with selinux

Tue May 17 16:13:19 UTC 2011
Devin Reade <gdr at gno.org>

--On Tuesday, May 17, 2011 03:00:43 PM +0200 Hajo Locke <hajo.locke at gmx.de>

> dont have experience with selinux, but i want to know if it would be a 
> practicable way to secure sshd with selinux.

Do your users need full ssh access or just scp/sftp?  You mention
php/perl, but it's not clear if they need to be able to upload scripts
that use those to render their web pages, or if they're needed
(See also the last paragraph at the bottom of this email.)

If they just need scp/sftp, then a really nice solution is to use 

     Subsystem sftp internal-sftp
     ChrootDirectory /var/some-web-dir/%u

in your sshd_config file. You don't have the usual headaches associated
with setting up chroot environments, your users can only see their own
and you can point apache at that hierarchy to serve their pages.

For a username 'joe' with group 'web' with a nominal home directory
of /home/joe, the setup would then consist of:

    install -d -m755 -o root -g root /var/some-web-dir/joe
    install -d -m755 -o root -g root /var/some-web-dir/joe/home
    install -d -m755 -o joe  -g web  /var/some-web-dir/joe/home/joe

You can use the above directory instead of public_html if you want
all their files to be visible, or create a public_html under that
directory otherwise.  Another option is to create both a public_html
and a logs directory, and then arrange for the apache logs for that
user to be copied there.

You would still need to evaluate whether, in your environment, this
is sufficient for them uploading php/perl scripts and having them
*execute* in an appropriate and secure manner under apache.