?
Solved

Linux, Chroot Jail, SSH not playing well with SELinux

Posted on 2013-06-09
10
Medium Priority
?
1,682 Views
Last Modified: 2013-06-09
Here is my AVC Denial:

type=AVC msg=audit(1370709118.483:31357): avc:  denied  { transition } for  pid=12246 comm="sshd" path="/bin/bash" dev=md127p3 ino=786450 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


and the audit2allow message:


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process transition;


I tried to make a custom policy module but it fails.

Any help would be much appreciated.

I made a chroot jail in /jail directory and copied the binaries I need for /bin/bash to it.

When I attempt to login via SSH with SELinux enabled, I get disconnected.

It works if SELinux is not enabled.

Thanks again for any help!!

dr34m3r
0
Comment
Question by:dr34m3rs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
10 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39232873
Ssh is auto "jailed" in /var/empty

Are you trying to "jail"all users in /jail?
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233076
No just specific users that are involved with the group "chrootjail"

I want to jail commands run once logged in, so that specific users are locked to a specific area.
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 39233093
When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture.
http://m.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Within Selinux configuration add the /jail in a rule matching /home
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233673
Ohhhh so if I move the /jail to /home/user/jail it could work?

I'll try that later.

If you mean, add an SELinux rule, I'm afraid I can create modules based on audit2allow output, but I am a noob when it comes to writing my own SELinux modules...  how would I write a custom module to allow this?

Or could I change the ls -AlZ (selinux attributes) myself with semanage fcontext -a -t home_dir_t /jail and make it permanent?

I'll test that later too though I expect it could fail...
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233678
>> "When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture."

Yes, I added the necessary functionality, libraries and binaries I wanted to the jail dir.

When I test it with SELinux disabled (echo 0 > /selinux/enforce) it functions correctly.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39233720
/etc/selinux/targeted
or based on your settings.
within there are a set of files one of which is
/etc/selinux/targeted/contexts/files/file_contexts.homedirs

this is where you can add the /jail directory structure
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233797
I tried the /etc/selinux/targeted/contexts/files/file_contexts.homedirs idea, but it failed?

I moved my jail dir to "/home/chroot/jail"

I did a relabel as well.


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process { siginh transition noatsecure rlimitinh };

Still exists!?

I would rather not have to disable SELinux completely to get this to work.
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233810
Figured it out posting soon!
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233814
I was missing the line "ForceCommand internal-sftp" in my /etc/ssh/sshd_config file

Thanks for all the help!

dr34m3r
0
 
LVL 1

Author Closing Comment

by:dr34m3rs
ID: 39233815
I moved my jail back to /jail
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month8 days, 8 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question