I have a Centos 6.5 webserver and it works well except for one item. I have a directory that I need to share via http and sftp. I can access the directory via http after I set the selinux context on the directory to httpd_sys_content_t. However when my user tries to login to the server via sftp I see the following messages in the audit.log:
type=AVC msg=audit(1390843355.302:813): avc: denied { getattr } for pid=8502 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843355.302:814): avc: denied { search } for pid=8502 comm="sshd" name="/" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843370.478:841): avc: denied { getattr } for pid=8508 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1390843376.245:862): avc: denied { getattr } for pid=8514 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
The user's home directory is set to /mapdata and the owner is root:user with 755 permissions. Is there a selinux context I can label the directory that will allow sftp and http access?
[SOLVED] selinux with httpd and sshd contexts
[SOLVED] selinux with httpd and sshd contexts
Last edited by webguy on 2014/01/30 15:34:19, edited 1 time in total.
Re: selinux with httpd and sshd contexts
Try public_content_t or public_content_rw_t depending on whether you need readonly or read/write access.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: selinux with httpd and sshd contexts
Thank you for the quick reply but it didn't work.
# cat /var/log/secure
Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/mapdata"): Permission denied
# ls -lZ
drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 mapdata
# cat /var/log/audit/audit.log
type=AVC msg=audit(1390852447.734:1292): avc: denied { getattr } for pid=8910 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Any other ideas?
# cat /var/log/secure
Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/mapdata"): Permission denied
# ls -lZ
drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 mapdata
# cat /var/log/audit/audit.log
type=AVC msg=audit(1390852447.734:1292): avc: denied { getattr } for pid=8910 comm="sshd" path="/mapdata" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Any other ideas?
Re: selinux with httpd and sshd contexts
I see that sshd is complaining that it can't chroot so the following selinux booleans may help:Any other ideas?
Code: Select all
$ getsebool -a|grep ssh
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
Re: selinux with httpd and sshd contexts
# setsebool -P ssh_chroot_full_access 1
fixed the problem. Thank you for the help.
fixed the problem. Thank you for the help.