Bug 833352
Summary: | SELinux Enforcing Prevents OpenSSH Chroot Shell Logins | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Vadkerti <mvadkert> |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Miroslav Vadkerti <mvadkert> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dwalsh, jjaburek, mgrepl, mmarhefk, mvadkert, plautrba, tmraz |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssh-6.1p1-2.fc18.x86_64 | Doc Type: | Release Note |
Doc Text: |
Generally, each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to to the SELinux unconfined_u user.
In Red Hat Enterprise Linux 7, the ChrootDirectory option for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux selinuxuser_use_ssh_chroot variable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the ChrootDirectory option to achieve higher security.
|
Story Points: | --- |
Clone Of: | 831271 | Environment: | |
Last Closed: | 2014-06-13 12:23:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 830237, 831271, 869340 | ||
Bug Blocks: |
Comment 4
Petr Lautrbach
2012-11-12 13:34:04 UTC
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text. For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see: https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue If you have questions, please email rhel-notes. VERIFIED as fixed in openssh-6.4p1-2.el7 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'do_ssh bob x' (Expected 0, got 0) :: [ PASS ] :: Running 'curl -vu 'bob:x' --connect-timeout 5 sftp://localhost/upload/file.txt > /dev/null' (Expected 0, got 0) :: [ LOG ] :: Duration: 4m 5s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: SELinux :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ausearch -m AVC -ts recent >out 2>&1' (Expected 0-255, got 1) :: [ PASS ] :: There should not be any SELinux AVC (Expected 0, got 0) :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: SELinux This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |