SELinux is preventing /usr/sbin/sshd from using the transition access on a process

Solution In Progress - Updated -

Issue

  • SElinux is preventing chrooted users from logging in using the ChrootDirectory option for sshd

  • Users that are chrooted for sshd cannot login over ssh when SElinux is enabled.

  • We get a denial in the /var/log/audit.log when the chroot user tries to transition to unconfined_t

Raw Audit Messages
type=SYSCALL msg=audit(1396013694.814:2781): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f1eba32ce80 a1=7fff4999ad00 a2=7f1eba337df0 a3=0 items=0 ppid=6007 pid=6008 auid=508 uid=508 gid=509 euid=508 suid=508 fsuid=508 egid=509 sgid=509 fsgid=509 tty=pts2 ses=254 comm=sshd exe=/usr/sbin/sshd subj=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1396013694.814:2781): avc: denied { transition } for pid=6008 comm="sshd" path="/bin/bash" dev=dm-6 ino=129092 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


Hash: sshd,chroot_user_t,unconfined_t,process,transition

Environment

  • Red Hat Enterprise Linux 6
  • selinux-policy-3.7.19-231.el6_5.1
  • openssh-5.3p1-94.el6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.