• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1739
  • Last Modified:

Linux, Chroot Jail, SSH not playing well with SELinux

Here is my AVC Denial:

type=AVC msg=audit(1370709118.483:31357): avc:  denied  { transition } for  pid=12246 comm="sshd" path="/bin/bash" dev=md127p3 ino=786450 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


and the audit2allow message:


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process transition;


I tried to make a custom policy module but it fails.

Any help would be much appreciated.

I made a chroot jail in /jail directory and copied the binaries I need for /bin/bash to it.

When I attempt to login via SSH with SELinux enabled, I get disconnected.

It works if SELinux is not enabled.

Thanks again for any help!!

dr34m3r
0
dr34m3rs
Asked:
dr34m3rs
  • 7
  • 3
1 Solution
 
arnoldCommented:
Ssh is auto "jailed" in /var/empty

Are you trying to "jail"all users in /jail?
0
 
dr34m3rsAuthor Commented:
No just specific users that are involved with the group "chrootjail"

I want to jail commands run once logged in, so that specific users are locked to a specific area.
0
 
arnoldCommented:
When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture.
http://m.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Within Selinux configuration add the /jail in a rule matching /home
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
dr34m3rsAuthor Commented:
Ohhhh so if I move the /jail to /home/user/jail it could work?

I'll try that later.

If you mean, add an SELinux rule, I'm afraid I can create modules based on audit2allow output, but I am a noob when it comes to writing my own SELinux modules...  how would I write a custom module to allow this?

Or could I change the ls -AlZ (selinux attributes) myself with semanage fcontext -a -t home_dir_t /jail and make it permanent?

I'll test that later too though I expect it could fail...
0
 
dr34m3rsAuthor Commented:
>> "When jailing/chroot you often need to provide the varius functions into that locations replicating the stracture."

Yes, I added the necessary functionality, libraries and binaries I wanted to the jail dir.

When I test it with SELinux disabled (echo 0 > /selinux/enforce) it functions correctly.
0
 
arnoldCommented:
/etc/selinux/targeted
or based on your settings.
within there are a set of files one of which is
/etc/selinux/targeted/contexts/files/file_contexts.homedirs

this is where you can add the /jail directory structure
0
 
dr34m3rsAuthor Commented:
I tried the /etc/selinux/targeted/contexts/files/file_contexts.homedirs idea, but it failed?

I moved my jail dir to "/home/chroot/jail"

I did a relabel as well.


#============= chroot_user_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow chroot_user_t unconfined_t:process { siginh transition noatsecure rlimitinh };

Still exists!?

I would rather not have to disable SELinux completely to get this to work.
0
 
dr34m3rsAuthor Commented:
Figured it out posting soon!
0
 
dr34m3rsAuthor Commented:
I was missing the line "ForceCommand internal-sftp" in my /etc/ssh/sshd_config file

Thanks for all the help!

dr34m3r
0
 
dr34m3rsAuthor Commented:
I moved my jail back to /jail
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now