Solved

Linux, Chroot Jail, SSH not playing well with SELinux

Posted on 2013-06-09
10
1,609 Views
Last Modified: 2013-06-09
Here is my AVC Denial:

type=AVC msg=audit(1370709118.483:31357): avc:  denied  { transition } for  pid=12246 comm="sshd" path="/bin/bash" dev=md127p3 ino=786450 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


and the audit2allow message:


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process transition;


I tried to make a custom policy module but it fails.

Any help would be much appreciated.

I made a chroot jail in /jail directory and copied the binaries I need for /bin/bash to it.

When I attempt to login via SSH with SELinux enabled, I get disconnected.

It works if SELinux is not enabled.

Thanks again for any help!!

dr34m3r
0
Comment
Question by:dr34m3rs
  • 7
  • 3
10 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39232873
Ssh is auto "jailed" in /var/empty

Are you trying to "jail"all users in /jail?
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233076
No just specific users that are involved with the group "chrootjail"

I want to jail commands run once logged in, so that specific users are locked to a specific area.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39233093
When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture.
http://m.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Within Selinux configuration add the /jail in a rule matching /home
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233673
Ohhhh so if I move the /jail to /home/user/jail it could work?

I'll try that later.

If you mean, add an SELinux rule, I'm afraid I can create modules based on audit2allow output, but I am a noob when it comes to writing my own SELinux modules...  how would I write a custom module to allow this?

Or could I change the ls -AlZ (selinux attributes) myself with semanage fcontext -a -t home_dir_t /jail and make it permanent?

I'll test that later too though I expect it could fail...
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233678
>> "When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture."

Yes, I added the necessary functionality, libraries and binaries I wanted to the jail dir.

When I test it with SELinux disabled (echo 0 > /selinux/enforce) it functions correctly.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39233720
/etc/selinux/targeted
or based on your settings.
within there are a set of files one of which is
/etc/selinux/targeted/contexts/files/file_contexts.homedirs

this is where you can add the /jail directory structure
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233797
I tried the /etc/selinux/targeted/contexts/files/file_contexts.homedirs idea, but it failed?

I moved my jail dir to "/home/chroot/jail"

I did a relabel as well.


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process { siginh transition noatsecure rlimitinh };

Still exists!?

I would rather not have to disable SELinux completely to get this to work.
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233810
Figured it out posting soon!
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233814
I was missing the line "ForceCommand internal-sftp" in my /etc/ssh/sshd_config file

Thanks for all the help!

dr34m3r
0
 
LVL 1

Author Closing Comment

by:dr34m3rs
ID: 39233815
I moved my jail back to /jail
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ubuntu not booting - How get past GRUB? 3 43
High Available Storage based on linux 6 84
Coding C# in Linux 8 69
Linux VM 6 90
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question