Re: [CentOS] CentOS-6 SSHD chroot SELinux problem

2015-10-09 Thread m . roth 
James,

   I don't have an answer, but you'll note that I replied to both the
CentOS list, and the more appropriate selinux list. Folks like Dan
Walsh are responders there.

   mark

James B. Byrne wrote:
> I run a sshd host solely to allow employees to tunnel secure
> connections to our internal hosts. Some of which do not support
> encrypted protocols.  These connections are chroot'ed via the
> following in /etc/ssh/sshd_config
>
> Match Group !wheel,!xx,y
> AllowTcpForwarding yes
> ChrootDirectory /home/y
> X11Forwarding yes
>
> Where external users belong to group y (primary).
>
> We have a problem with SELinux in that chrooted users cannot tunnel
> https requests unless SELinux is set to permissive (or turned off
> altogether).  This problem does not evidence itself unless the account
> is chrooted.
>
> The output from audit2allow is this:
>
> sudo audit2allow -l -a
>
>
> #= chroot_user_t ==
> allow chroot_user_t cyphesis_port_t:tcp_socket name_connect;
> allow chroot_user_t user_home_t:chr_file open;
>
> #= syslogd_t ==
> # The source type 'syslogd_t' can write to a 'dir' of the
> following types:
> # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t,
> syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile,
> cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t,
> cluster_conf_t, tmp_t
>
> allow syslogd_t user_home_t:dir write;
>
>
> My questions are:
>
> Do SE booleans settings exist that permit chrooted ssh access to
> forward https and log the activity?  If so then what are they?
>
> If not, then have I made a configuration error in sshd_config?  What
> is it?
>
> If not, then is this a defect in the SELinux policy?
>
> If not, then What are the implications of creating a custom policy to
> handle this using the output given above?
>
>
>
> --
> ***  e-Mail is NOT a SECURE channel  ***
> Do NOT transmit sensitive data via e-Mail
> James B. Byrnemailto:byrn...@harte-lyne.ca
> Harte & Lyne Limited  http://www.harte-lyne.ca
> 9 Brockley Drive  vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada  L8E 3C3
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6 SSHD chroot SELinux problem

2015-10-09 Thread Mark Tinberg 

> On Oct 9, 2015, at 7:58 AM, James B. Byrne  wrote:
> 
> allow syslogd_t user_home_t:dir write;
> 

The easiest way to fix this would be to use chcon to change the file context of 
the syslog socket in the chroot directory to be like the main /dev/log, and any 
log files and directories to the same type as the main system, instead of the 
user_home_t types that get created by default.

— 
Mark Tinberg, System Administrator
Division of Information Technology - Network Services
University of Wisconsin - Madison
mark.tinb...@wisc.edu

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos