This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 833352 - SELinux Enforcing Prevents OpenSSH Chroot Shell Logins
SELinux Enforcing Prevents OpenSSH Chroot Shell Logins
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh (Show other bugs)
7.0
i386 Linux
high Severity high
: beta
: ---
Assigned To: Petr Lautrbach
Miroslav Vadkerti
:
Depends On: 830237 831271 869340
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-19 05:39 EDT by Miroslav Vadkerti
Modified: 2014-06-13 08:23 EDT (History)
7 users (show)

See Also:
Fixed In Version: openssh-6.1p1-2.fc18.x86_64
Doc Type: Release Note
Doc Text:
Generally, each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to to the SELinux unconfined_u user. In Red Hat Enterprise Linux 7, the ChrootDirectory option for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux selinuxuser_use_ssh_chroot variable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the ChrootDirectory option to achieve higher security.
Story Points: ---
Clone Of: 831271
Environment:
Last Closed: 2014-06-13 08:23:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 4 Petr Lautrbach 2012-11-12 08:34:04 EST
This is fixed in the Fedora openssh-6.1p1-2.fc18.x86_64 and selinux-policy-3.11.1-46.fc18.noarch. The SELinux variable selinuxuser_use_ssh_chroot needs to be set on, see https://bugzilla.redhat.com/show_bug.cgi?id=869340#c10.

It would need release notes with specification and sysadmin recommendation - use guest_u and so.
Comment 6 Douglas Silas 2013-11-11 13:55:56 EST
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes@redhat.com.
Comment 7 Miroslav Vadkerti 2013-12-04 05:00:50 EST
VERIFIED as fixed in openssh-6.4p1-2.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'do_ssh bob x' (Expected 0, got 0)
:: [   PASS   ] :: Running 'curl -vu 'bob:x' --connect-timeout 5 sftp://localhost/upload/file.txt > /dev/null' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4m 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: SELinux
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'ausearch -m AVC -ts recent >out 2>&1' (Expected 0-255, got 1)
:: [   PASS   ] :: There should not be any SELinux AVC (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: SELinux
Comment 9 Ludek Smid 2014-06-13 08:23:17 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.