[CentOS] CentOS-6 SSHD chroot SELinux problem

Fri Oct 9 12:58:25 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

I run a sshd host solely to allow employees to tunnel secure
connections to our internal hosts. Some of which do not support
encrypted protocols.  These connections are chroot'ed via the
following in /etc/ssh/sshd_config

Match Group !wheel,!xxxxxx,yyyyy
    AllowTcpForwarding yes
    ChrootDirectory /home/yyyyy
    X11Forwarding yes

Where external users belong to group yyyyy (primary).

We have a problem with SELinux in that chrooted users cannot tunnel
https requests unless SELinux is set to permissive (or turned off
altogether).  This problem does not evidence itself unless the account
is chrooted.

The output from audit2allow is this:

sudo audit2allow -l -a

#============= chroot_user_t ==============
allow chroot_user_t cyphesis_port_t:tcp_socket name_connect;
allow chroot_user_t user_home_t:chr_file open;

#============= syslogd_t ==============
#!!!! The source type 'syslogd_t' can write to a 'dir' of the
following types:
# var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t,
syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile,
cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t,
cluster_conf_t, tmp_t

allow syslogd_t user_home_t:dir write;

My questions are:

Do SE booleans settings exist that permit chrooted ssh access to
forward https and log the activity?  If so then what are they?

If not, then have I made a configuration error in sshd_config?  What
is it?

If not, then is this a defect in the SELinux policy?

If not, then What are the implications of creating a custom policy to
handle this using the output given above?

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3