How to configure SFTP chroot with SELinux enforcing mode.
Issue
- With
SELinuxset to enforcing mode, theSFTPconnection is dying with the following messages: - From
/var/log/secure
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
Jul 23 16:39:54 sftp setroubleshoot: SELinux is preventing /usr/bin/sudo from using the setuid capability. For complete SELinux messages run: sealert -l 527bfd94-4a1b-4853-b327-5331f69f349d
Jul 23 16:39:54 sftp python: SELinux is preventing /usr/bin/sudo from using the setuid capability.#012#012***** Plugin catchall_boolean (89.3 confide nce) suggests ******************#012#012If you want to allow selinuxuser to use ssh chroot#012Then you must tell SELinux about this by enabling the 'selinuxuser_use_ssh_chroot' boolean.#012#012Do#012setsebool -P selinuxuser_use_ssh_chroot 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that sudo should have the setuid capability by default.#012Then you should report this as a bug.#01 2You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2a llow -M my-sudo#012# semodule -i my-sudo.pp#012
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
