Solved

Linux, Chroot Jail, SSH not playing well with SELinux

Posted on 2013-06-09
10
1,592 Views
Last Modified: 2013-06-09
Here is my AVC Denial:

type=AVC msg=audit(1370709118.483:31357): avc:  denied  { transition } for  pid=12246 comm="sshd" path="/bin/bash" dev=md127p3 ino=786450 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


and the audit2allow message:


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process transition;


I tried to make a custom policy module but it fails.

Any help would be much appreciated.

I made a chroot jail in /jail directory and copied the binaries I need for /bin/bash to it.

When I attempt to login via SSH with SELinux enabled, I get disconnected.

It works if SELinux is not enabled.

Thanks again for any help!!

dr34m3r
0
Comment
Question by:dr34m3rs
  • 7
  • 3
10 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39232873
Ssh is auto "jailed" in /var/empty

Are you trying to "jail"all users in /jail?
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233076
No just specific users that are involved with the group "chrootjail"

I want to jail commands run once logged in, so that specific users are locked to a specific area.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39233093
When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture.
http://m.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Within Selinux configuration add the /jail in a rule matching /home
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233673
Ohhhh so if I move the /jail to /home/user/jail it could work?

I'll try that later.

If you mean, add an SELinux rule, I'm afraid I can create modules based on audit2allow output, but I am a noob when it comes to writing my own SELinux modules...  how would I write a custom module to allow this?

Or could I change the ls -AlZ (selinux attributes) myself with semanage fcontext -a -t home_dir_t /jail and make it permanent?

I'll test that later too though I expect it could fail...
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233678
>> "When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture."

Yes, I added the necessary functionality, libraries and binaries I wanted to the jail dir.

When I test it with SELinux disabled (echo 0 > /selinux/enforce) it functions correctly.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 77

Expert Comment

by:arnold
ID: 39233720
/etc/selinux/targeted
or based on your settings.
within there are a set of files one of which is
/etc/selinux/targeted/contexts/files/file_contexts.homedirs

this is where you can add the /jail directory structure
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233797
I tried the /etc/selinux/targeted/contexts/files/file_contexts.homedirs idea, but it failed?

I moved my jail dir to "/home/chroot/jail"

I did a relabel as well.


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process { siginh transition noatsecure rlimitinh };

Still exists!?

I would rather not have to disable SELinux completely to get this to work.
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233810
Figured it out posting soon!
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233814
I was missing the line "ForceCommand internal-sftp" in my /etc/ssh/sshd_config file

Thanks for all the help!

dr34m3r
0
 
LVL 1

Author Closing Comment

by:dr34m3rs
ID: 39233815
I moved my jail back to /jail
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
change time in cron 4 67
Remove a folder in Linux 9 91
Why isnt it sending mail from my php but is from my server 10 37
linux redhat 7.2 10 47
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now