Hi,
I just configured the internal-sftp of sshd (with chroot option) but when I tried to log on as the sftp user I can't. I get the following AVC:
setroubleshoot: SELinux is preventing /usr/sbin/sshd from getattr access on the directory /var/ftp. For complete SELinux messages...
/var/ftp is a filesystem of its own labeled "public_content_t".
I really have no clue why this doesn't work. Apparently it's something related to the "internal-sftp" which one needs to use in order to allow the chroot environment. I could only make it work by enabling the ssh_chroot_full_access boolean which seems overkill...
Is this boolean the only way to go with internal-sftp ?
Thanks, Jorge
Dne 14.11.2013 22:49, Jorge Fábregas napsal(a):
Hi,
I just configured the internal-sftp of sshd (with chroot option) but when I tried to log on as the sftp user I can't. I get the following AVC:
setroubleshoot: SELinux is preventing /usr/sbin/sshd from getattr access on the directory /var/ftp. For complete SELinux messages...
/var/ftp is a filesystem of its own labeled "public_content_t".
I really have no clue why this doesn't work. Apparently it's something related to the "internal-sftp" which one needs to use in order to allow the chroot environment. I could only make it work by enabling the ssh_chroot_full_access boolean which seems overkill...
Is this boolean the only way to go with internal-sftp ?
Thanks, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What raw AVC msgs are you getting?
What OS?
On 11/14/2013 05:52 PM, Miroslav Grepl wrote:
What raw AVC msgs are you getting?
What OS?
Hi,
As sson as I enter the password I get this in /var/log/secure:
Nov 15 06:57:34 sftphd sshd[11179]: fatal: safely_chroot: stat("/var/ftp/"): Permission denied
The home directory for the user is /var/ftp/pub (that's where it gets jailed in) and it is public_content_t as well.
Here's the AVC:
type=AVC msg=audit(1384513054.850:2835): avc: denied { getattr } for pid=11179 comm="sshd" path="/var/ftp" dev=sdb1 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
This is CentOS 6.4 fully patched.
Thanks, Jorge
On Fri, 2013-11-15 at 07:10 -0400, Jorge Fábregas wrote:
On 11/14/2013 05:52 PM, Miroslav Grepl wrote:
What raw AVC msgs are you getting?
What OS?
Hi,
As sson as I enter the password I get this in /var/log/secure:
Nov 15 06:57:34 sftphd sshd[11179]: fatal: safely_chroot: stat("/var/ftp/"): Permission denied
The home directory for the user is /var/ftp/pub (that's where it gets jailed in) and it is public_content_t as well.
It says that its not allowed to stat /var/ftp:
ls -dZ /var/ftp
But as a aside, if you want to chroot users to a non user home dir then you might want to add that dir to the exclude dirs in semanage.conf because else you might get into issues when policy is rebuilt and you run restorecon on that location
because genhomedircon would treat that dir as a user home dir and add fc specs for it
I think the ssh chroot functionality is BS
I created a screencast and put it you youtube in which i demonstrate how to use SELinux to confine users with a need for chroots:
selinux@lists.fedoraproject.org