Bug 1435264 - openssh package openssh-6.6.1p1-33.el7_3 does not resolve chroot permission denied status.
Summary: openssh package openssh-6.6.1p1-33.el7_3 does not resolve chroot permission d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1418062
Blocks: 1420851 1435289
TreeView+ depends on / blocked
 
Reported: 2017-03-23 13:32 UTC by Jakub Jelen
Modified: 2019-04-29 09:18 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-136.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1418062
: 1435289 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Comment 5 Milos Malik 2017-05-25 12:47:27 UTC
Is it expected that confined users like staff_u and user_u can do chroot() even if selinuxuser_use_ssh_chroot boolean is off?

# sesearch -s user_t -t user_t -c capability -p sys_chroot -A -C
Found 2 semantic av rules:
   allow user_t user_t : capability { chown fowner setgid net_bind_service sys_chroot audit_write } ; 
ET allow user_t user_t : capability { setgid setuid sys_chroot } ; [ selinuxuser_use_ssh_chroot ]

# sesearch -s staff_t -t staff_t -c capability -p sys_chroot -A -C
Found 2 semantic av rules:
   allow staff_t staff_t : capability { chown fowner setgid net_bind_service sys_chroot audit_write } ; 
ET allow staff_t staff_t : capability { setgid setuid sys_chroot } ; [ selinuxuser_use_ssh_chroot ]

#

Comment 7 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.