Re: [CentOS] CentOS-6 SSHD chroot SELinux problem
> On Oct 9, 2015, at 7:58 AM, James B. Byrne wrote: > > allow syslogd_t user_home_t:dir write; > The easiest way to fix this would be to use chcon to change the file context of the syslog socket in the chroot directory to be like the main /dev/log, and any log files and directories to the same type as the main system, instead of the user_home_t types that get created by default. — Mark Tinberg, System Administrator Division of Information Technology - Network Services University of Wisconsin - Madison mark.tinb...@wisc.edu ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6 SSHD chroot SELinux problem
James, I don't have an answer, but you'll note that I replied to both the CentOS list, and the more appropriate selinux list. Folks like Dan Walsh are responders there. mark James B. Byrne wrote: > I run a sshd host solely to allow employees to tunnel secure > connections to our internal hosts. Some of which do not support > encrypted protocols. These connections are chroot'ed via the > following in /etc/ssh/sshd_config > > Match Group !wheel,!xx,y > AllowTcpForwarding yes > ChrootDirectory /home/y > X11Forwarding yes > > Where external users belong to group y (primary). > > We have a problem with SELinux in that chrooted users cannot tunnel > https requests unless SELinux is set to permissive (or turned off > altogether). This problem does not evidence itself unless the account > is chrooted. > > The output from audit2allow is this: > > sudo audit2allow -l -a > > > #= chroot_user_t == > allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; > allow chroot_user_t user_home_t:chr_file open; > > #= syslogd_t == > # The source type 'syslogd_t' can write to a 'dir' of the > following types: > # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, > syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, > cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, > cluster_conf_t, tmp_t > > allow syslogd_t user_home_t:dir write; > > > My questions are: > > Do SE booleans settings exist that permit chrooted ssh access to > forward https and log the activity? If so then what are they? > > If not, then have I made a configuration error in sshd_config? What > is it? > > If not, then is this a defect in the SELinux policy? > > If not, then What are the implications of creating a custom policy to > handle this using the output given above? > > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > James B. Byrnemailto:byrn...@harte-lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 SSHD chroot SELinux problem
I run a sshd host solely to allow employees to tunnel secure connections to our internal hosts. Some of which do not support encrypted protocols. These connections are chroot'ed via the following in /etc/ssh/sshd_config Match Group !wheel,!xx,y AllowTcpForwarding yes ChrootDirectory /home/y X11Forwarding yes Where external users belong to group y (primary). We have a problem with SELinux in that chrooted users cannot tunnel https requests unless SELinux is set to permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #= chroot_user_t == allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #= syslogd_t == # The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow syslogd_t user_home_t:dir write; My questions are: Do SE booleans settings exist that permit chrooted ssh access to forward https and log the activity? If so then what are they? If not, then have I made a configuration error in sshd_config? What is it? If not, then is this a defect in the SELinux policy? If not, then What are the implications of creating a custom policy to handle this using the output given above? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos