[CentOS] C-6.6 - sshd_config chroot SELinux issues

Thu Jul 9 13:41:50 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

CentOS-6.6

We have sshd chroot working, mostly, for a particular groupid. 
However, we have two things that remain u/s, no doubt due to some
omission on my part.

Basically, we would like our users to be able to tunnel their https
over the ssh connection to this server and be able to do X11
forwarding as well.  At the moment both work when the user connects
without chroot and neither works if they are chroot, even when the
chroot directory is the actual system /.

The Match statements are:

Match Group wheel
    AllowTcpForwarding yes
    ChrootDirectory /
    PermitOpen any
    X11Forwarding yes
    X11UseLocalhost no

Match Group !wheel,sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no


There are SELinux issues:

/var/log/messages

Jul  9 09:22:43 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from create access on the udp_socket . For complete
SELinux messages. run sealert -l 91eae747-73dc-43d8-8af9-0601e726f233

Jul  9 09:22:43 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from create access on the tcp_socket . For complete
SELinux messages. run sealert -l c5d4049e-cffb-4cfb-a243-135c7b297e8b

Jul  9 09:22:44 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from open access on the chr_file 5. For complete
SELinux messages. run sealert -l d77a3254-8aba-4a13-bd78-0bcf14e67035


/var/log/secure

Jul  9 09:22:34 inet02 sshd[17681]: error: socket: Permission denied

Jul  9 09:22:34 inet02 sshd[17684]: error: /dev/pts/5: Permission denied



# grep sshd /var/log/audit/audit.log | audit2allow


#============= chroot_user_t ==============

#!!!! This avc is allowed in the current policy
allow chroot_user_t admin_home_t:dir search;

#!!!! This avc is allowed in the current policy
allow chroot_user_t net_conf_t:file read;
allow chroot_user_t self:netlink_route_socket create;
allow chroot_user_t self:tcp_socket create;
allow chroot_user_t self:udp_socket create;
allow chroot_user_t user_devpts_t:chr_file open;
allow chroot_user_t user_home_t:chr_file { read write };

#!!!! This avc is allowed in the current policy
allow chroot_user_t xauth_exec_t:file getattr;

#============= xauth_t ==============
allow xauth_t chroot_user_t:process sigchld;


# getsebool -a | grep ssh

allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> on
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> on
ssh_sysadm_login --> off

These are definitely involved with the X11 forwarding issue because if
I use: setenforce Permissive then gvim works for a chrooted session.
However, when setenforce Enforcing is set then gvim fails with: 'E233:
cannot open display'.

I have not tried the https tunnelling without SELinux but I suspect
that the problem is similar if not identical.

Do I generate a custom policy or are there some other SSH/SELinux
settings that I am missing?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3