RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 833352 - SELinux Enforcing Prevents OpenSSH Chroot Shell Logins
Summary: SELinux Enforcing Prevents OpenSSH Chroot Shell Logins
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.0
Hardware: i386
OS: Linux
high
high
Target Milestone: beta
: ---
Assignee: Petr Lautrbach
QA Contact: Miroslav Vadkerti
URL:
Whiteboard:
Depends On: 830237 831271 869340
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-19 09:39 UTC by Miroslav Vadkerti
Modified: 2014-06-13 12:23 UTC (History)
7 users (show)

Fixed In Version: openssh-6.1p1-2.fc18.x86_64
Doc Type: Release Note
Doc Text:
Generally, each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to to the SELinux unconfined_u user. In Red Hat Enterprise Linux 7, the ChrootDirectory option for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux selinuxuser_use_ssh_chroot variable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the ChrootDirectory option to achieve higher security.
Clone Of: 831271
Environment:
Last Closed: 2014-06-13 12:23:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 4 Petr Lautrbach 2012-11-12 13:34:04 UTC 
This is fixed in the Fedora openssh-6.1p1-2.fc18.x86_64 and selinux-policy-3.11.1-46.fc18.noarch. The SELinux variable selinuxuser_use_ssh_chroot needs to be set on, see https://bugzilla.redhat.com/show_bug.cgi?id=869340#c10.

It would need release notes with specification and sysadmin recommendation - use guest_u and so.
Comment 6 Douglas Silas 2013-11-11 18:55:56 UTC 
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.
Comment 7 Miroslav Vadkerti 2013-12-04 10:00:50 UTC 
VERIFIED as fixed in openssh-6.4p1-2.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'do_ssh bob x' (Expected 0, got 0)
:: [   PASS   ] :: Running 'curl -vu 'bob:x' --connect-timeout 5 sftp://localhost/upload/file.txt > /dev/null' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4m 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: SELinux
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'ausearch -m AVC -ts recent >out 2>&1' (Expected 0-255, got 1)
:: [   PASS   ] :: There should not be any SELinux AVC (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: SELinux
Comment 9 Ludek Smid 2014-06-13 12:23:17 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.