[SOLVED] selinux with httpd and sshd contexts

Support for security such as Firewalls and securing linux
Post Reply
webguy
Posts: 3
Joined: 2014/01/28 00:44:37

[SOLVED] selinux with httpd and sshd contexts

Post by webguy » 2014/01/28 01:07:54

I have a Centos 6.5 webserver and it works well except for one item. I have a directory that I need to share via http and sftp. I can access the directory via http after I set the selinux context on the directory to httpd_sys_content_t. However when my user tries to login to the server via sftp I see the following messages in the audit.log:
type=AVC msg=audit(1390843355.302:813): avc: denied { getattr } for pid=8502 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843355.302:814): avc: denied { search } for pid=8502 comm="sshd" name="/" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843370.478:841): avc: denied { getattr } for pid=8508 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843376.245:862): avc: denied { getattr } for pid=8514 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

The user's home directory is set to /mapdata and the owner is root:user with 755 permissions. Is there a selinux context I can label the directory that will allow sftp and http access?
Last edited by webguy on 2014/01/30 15:34:19, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 30656
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux with httpd and sshd contexts

Post by TrevorH » 2014/01/28 01:20:35

Try public_content_t or public_content_rw_t depending on whether you need readonly or read/write access.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

webguy
Posts: 3
Joined: 2014/01/28 00:44:37

Re: selinux with httpd and sshd contexts

Post by webguy » 2014/01/28 01:54:46

Thank you for the quick reply but it didn't work.

# cat /var/log/secure
Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/mapdata"): Permission denied

# ls -lZ
drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 mapdata

# cat /var/log/audit/audit.log
type=AVC msg=audit(1390852447.734:1292): avc: denied { getattr } for pid=8910 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir

Any other ideas?

Ideal
Posts: 56
Joined: 2009/07/17 22:32:51

Re: selinux with httpd and sshd contexts

Post by Ideal » 2014/01/29 21:49:23

Any other ideas?
I see that sshd is complaining that it can't chroot so the following selinux booleans may help:

Code: Select all

$ getsebool -a|grep ssh
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off

webguy
Posts: 3
Joined: 2014/01/28 00:44:37

Re: selinux with httpd and sshd contexts

Post by webguy » 2014/01/30 15:33:58

# setsebool -P ssh_chroot_full_access 1

fixed the problem. Thank you for the help.

Post Reply

Return to “CentOS 6 - Security Support”