Bug 1435264

Summary: openssh package openssh-6.6.1p1-33.el7_3 does not resolve chroot permission denied status.
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Jelen <jjelen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: lvrabec, mgrepl, mmalik, mmezynsk, plautrba, pvrabec, qe-baseos-security, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-136.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1418062
: 1435289 (view as bug list) Environment:
Last Closed: 2017-08-01 15:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1418062    
Bug Blocks: 1420851, 1435289    

Comment 5 Milos Malik 2017-05-25 12:47:27 UTC
Is it expected that confined users like staff_u and user_u can do chroot() even if selinuxuser_use_ssh_chroot boolean is off?

# sesearch -s user_t -t user_t -c capability -p sys_chroot -A -C
Found 2 semantic av rules:
   allow user_t user_t : capability { chown fowner setgid net_bind_service sys_chroot audit_write } ; 
ET allow user_t user_t : capability { setgid setuid sys_chroot } ; [ selinuxuser_use_ssh_chroot ]

# sesearch -s staff_t -t staff_t -c capability -p sys_chroot -A -C
Found 2 semantic av rules:
   allow staff_t staff_t : capability { chown fowner setgid net_bind_service sys_chroot audit_write } ; 
ET allow staff_t staff_t : capability { setgid setuid sys_chroot } ; [ selinuxuser_use_ssh_chroot ]

#

Comment 7 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861