Bug 833352

Summary: SELinux Enforcing Prevents OpenSSH Chroot Shell Logins
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Vadkerti <mvadkert>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: Miroslav Vadkerti <mvadkert>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dwalsh, jjaburek, mgrepl, mmarhefk, mvadkert, plautrba, tmraz
Target Milestone: beta   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-6.1p1-2.fc18.x86_64 Doc Type: Release Note
Doc Text:
Generally, each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to to the SELinux unconfined_u user. In Red Hat Enterprise Linux 7, the ChrootDirectory option for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux selinuxuser_use_ssh_chroot variable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the ChrootDirectory option to achieve higher security.
 Story Points: ---
Clone Of: 831271 Environment:
Last Closed: 2014-06-13 12:23:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 830237, 831271, 869340    
Bug Blocks:    

Comment 4 Petr Lautrbach 2012-11-12 13:34:04 UTC 
This is fixed in the Fedora openssh-6.1p1-2.fc18.x86_64 and selinux-policy-3.11.1-46.fc18.noarch. The SELinux variable selinuxuser_use_ssh_chroot needs to be set on, see https://bugzilla.redhat.com/show_bug.cgi?id=869340#c10.

It would need release notes with specification and sysadmin recommendation - use guest_u and so.
Comment 6 Douglas Silas 2013-11-11 18:55:56 UTC 
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.
Comment 7 Miroslav Vadkerti 2013-12-04 10:00:50 UTC 
VERIFIED as fixed in openssh-6.4p1-2.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'do_ssh bob x' (Expected 0, got 0)
:: [   PASS   ] :: Running 'curl -vu 'bob:x' --connect-timeout 5 sftp://localhost/upload/file.txt > /dev/null' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4m 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: SELinux
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'ausearch -m AVC -ts recent >out 2>&1' (Expected 0-255, got 1)
:: [   PASS   ] :: There should not be any SELinux AVC (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: SELinux
Comment 9 Ludek Smid 2014-06-13 12:23:17 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.