C-6.6 – Sshd_config Chroot SELinux Issues

Home » General » C-6.6 – Sshd_config Chroot SELinux Issues
General No Comments

CentOS-6.6

We have sshd chroot working, mostly, for a particular groupid. However, we have two things that remain u/s, no doubt due to some omission on my part.

Basically, we would like our users to be able to tunnel their https over the SSH connection to this server and be able to do X11
forwarding as well. At the moment both work when the user connects without chroot and neither works if they are chroot, even when the chroot directory is the actual system /.

The Match statements are:

Match Group wheel
AllowTcpForwarding yes
ChrootDirectory /
PermitOpen any
X11Forwarding yes
X11UseLocalhost no

Match Group !wheel,sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

There are SELinux issues:

/var/log/messages

Jul 9 09:22:43 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from create access on the udp_socket . For complete SELinux messages. run sealert -l 91eae747-73dc-43d8-8af9-0601e726f233

Jul 9 09:22:43 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from create access on the tcp_socket . For complete SELinux messages. run sealert -l c5d4049e-cffb-4cfb-a243-135c7b297e8b

Jul 9 09:22:44 inet02 setroubleshoot: SELinux is preventing
/usr/sbin/sshd from open access on the chr_file 5. For complete SELinux messages. run sealert -l d77a3254-8aba-4a13-bd78-0bcf14e67035

/var/log/secure

Jul 9 09:22:34 inet02 sshd[17681]: error: socket: Permission denied

Jul 9 09:22:34 inet02 sshd[17684]: error: /dev/pts/5: Permission denied

# grep sshd /var/log/audit/audit.log | audit2allow

#============= chroot_user_t =============
#!!!! This avc is allowed in the current policy allow chroot_user_t admin_home_t:dir search;

#!!!! This avc is allowed in the current policy allow chroot_user_t net_conf_t:file read;
allow chroot_user_t self:netlink_route_socket create;
allow chroot_user_t self:tcp_socket create;
allow chroot_user_t self:udp_socket create;
allow chroot_user_t user_devpts_t:chr_file open;
allow chroot_user_t user_home_t:chr_file { read write };

#!!!! This avc is allowed in the current policy allow chroot_user_t xauth_exec_t:file getattr;

#============= xauth_t =============allow xauth_t chroot_user_t:process sigchld;

# getsebool -a | grep ssh

allow_ssh_keysign –> off fenced_can_ssh –> off ssh_chroot_full_access –> on ssh_chroot_manage_apache_content –> off ssh_chroot_rw_homedirs –> on ssh_sysadm_login –> off

These are definitely involved with the X11 forwarding issue because if I use: setenforce Permissive then gvim works for a chrooted session. However, when setenforce Enforcing is set then gvim fails with: ‘E233:
cannot open display’.

I have not tried the https tunnelling without SELinux but I suspect that the problem is similar if not identical.

Do I generate a custom policy or are there some other SSH/SELinux settings that I am missing?