Solved

Linux, Chroot Jail, SSH not playing well with SELinux

Posted on 2013-06-09
10
1,644 Views
Last Modified: 2013-06-09
Here is my AVC Denial:

type=AVC msg=audit(1370709118.483:31357): avc:  denied  { transition } for  pid=12246 comm="sshd" path="/bin/bash" dev=md127p3 ino=786450 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


and the audit2allow message:


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process transition;


I tried to make a custom policy module but it fails.

Any help would be much appreciated.

I made a chroot jail in /jail directory and copied the binaries I need for /bin/bash to it.

When I attempt to login via SSH with SELinux enabled, I get disconnected.

It works if SELinux is not enabled.

Thanks again for any help!!

dr34m3r
0
Comment
Question by:dr34m3rs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
10 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39232873
Ssh is auto "jailed" in /var/empty

Are you trying to "jail"all users in /jail?
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233076
No just specific users that are involved with the group "chrootjail"

I want to jail commands run once logged in, so that specific users are locked to a specific area.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 39233093
When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture.
http://m.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Within Selinux configuration add the /jail in a rule matching /home
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233673
Ohhhh so if I move the /jail to /home/user/jail it could work?

I'll try that later.

If you mean, add an SELinux rule, I'm afraid I can create modules based on audit2allow output, but I am a noob when it comes to writing my own SELinux modules...  how would I write a custom module to allow this?

Or could I change the ls -AlZ (selinux attributes) myself with semanage fcontext -a -t home_dir_t /jail and make it permanent?

I'll test that later too though I expect it could fail...
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233678
>> "When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture."

Yes, I added the necessary functionality, libraries and binaries I wanted to the jail dir.

When I test it with SELinux disabled (echo 0 > /selinux/enforce) it functions correctly.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39233720
/etc/selinux/targeted
or based on your settings.
within there are a set of files one of which is
/etc/selinux/targeted/contexts/files/file_contexts.homedirs

this is where you can add the /jail directory structure
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233797
I tried the /etc/selinux/targeted/contexts/files/file_contexts.homedirs idea, but it failed?

I moved my jail dir to "/home/chroot/jail"

I did a relabel as well.


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process { siginh transition noatsecure rlimitinh };

Still exists!?

I would rather not have to disable SELinux completely to get this to work.
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233810
Figured it out posting soon!
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 39233814
I was missing the line "ForceCommand internal-sftp" in my /etc/ssh/sshd_config file

Thanks for all the help!

dr34m3r
0
 
LVL 1

Author Closing Comment

by:dr34m3rs
ID: 39233815
I moved my jail back to /jail
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question