[CentOS] CentOS-6 SSHD chroot SELinux problem
m.roth at 5-cent.us
m.roth at 5-cent.us
Fri Oct 9 13:12:34 UTC 2015
James,
I don't have an answer, but you'll note that I replied to both the
CentOS list, and the more appropriate selinux list. Folks like Dan
Walsh are responders there.
mark
James B. Byrne wrote:
> I run a sshd host solely to allow employees to tunnel secure
> connections to our internal hosts. Some of which do not support
> encrypted protocols. These connections are chroot'ed via the
> following in /etc/ssh/sshd_config
>
> Match Group !wheel,!xxxxxx,yyyyy
> AllowTcpForwarding yes
> ChrootDirectory /home/yyyyy
> X11Forwarding yes
>
> Where external users belong to group yyyyy (primary).
>
> We have a problem with SELinux in that chrooted users cannot tunnel
> https requests unless SELinux is set to permissive (or turned off
> altogether). This problem does not evidence itself unless the account
> is chrooted.
>
> The output from audit2allow is this:
>
> sudo audit2allow -l -a
>
>
> #============= chroot_user_t ==============
> allow chroot_user_t cyphesis_port_t:tcp_socket name_connect;
> allow chroot_user_t user_home_t:chr_file open;
>
> #============= syslogd_t ==============
> #!!!! The source type 'syslogd_t' can write to a 'dir' of the
> following types:
> # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t,
> syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile,
> cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t,
> cluster_conf_t, tmp_t
>
> allow syslogd_t user_home_t:dir write;
>
>
> My questions are:
>
> Do SE booleans settings exist that permit chrooted ssh access to
> forward https and log the activity? If so then what are they?
>
> If not, then have I made a configuration error in sshd_config? What
> is it?
>
> If not, then is this a defect in the SELinux policy?
>
> If not, then What are the implications of creating a custom policy to
> handle this using the output given above?
>
>
>
> --
> *** e-Mail is NOT a SECURE channel ***
> Do NOT transmit sensitive data via e-Mail
> James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list