[SOLVED] selinux and sftp

Support for security such as Firewalls and securing linux
Post Reply
mfuhrmann
Posts: 9
Joined: 2012/10/25 07:13:15

[SOLVED] selinux and sftp

Post by mfuhrmann » 2012/11/05 09:51:42

Hello,

i'm trying to get a sftp server working. The users are chrooted but selinux does not allow connection in enforced mode. When it's disabled all works fine :-) But that's surely not the solution.
I found some howtos for selinux, but it seems to be a complex topic and i'm not able to apply this howto-knowledge with my problem. How can i configure selinux to allow this? Can somebody please help me?

Thanks a lot.

--
Marcel

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

[SOLVED] selinux and sftp

Post by TrevorH » 2012/11/05 10:03:47

First step to diagnosing an selinux problem is to never disable it! If you have problems then put it into permissive mode. This can be done on the fly by running `setenforce 0`. In permissive mode, everything is logged but nothing is stopped so you can do what you need and then look at the logs to find out what was happening. The commands `aureport -a` and `ausearch -a nnn` can help to see what the denials were (nnn is the number from the right hand side of each message from aureport).

If you disable selinux then to re-enable it, first change the config file to permissive mode and reboot. That reboot will take a long time because it has to relabel the entire file system. Once it's finished then you can set it back to enforcing mode if you want.

Oh, and you also want to make sure that the audit daemon is installed and running so that selinux denials are logged to the audit log.

mfuhrmann
Posts: 9
Joined: 2012/10/25 07:13:15

Re: selinux and sftp

Post by mfuhrmann » 2012/11/05 10:35:38

Hi TrevorH,

thanks for your fast response.

Hi
This happened:

[quote]
[root@localhost ~]# aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 11/04/2012 17:32:15 sshd unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 4 dir getattr system_u:object_r:etc_runtime_t:s0 denied 50
2. 11/04/2012 17:32:21 sshd unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 4 dir getattr system_u:object_r:etc_runtime_t:s0 denied 71


[root@localhost ~]# ausearch -a 50
----
time->Sun Nov 4 17:32:15 2012
type=SYSCALL msg=audit(1352046735.674:50): arch=c000003e syscall=4 success=no exit=-13 a0=7fff28cf7a20 a1=7fff28cf7990 a2=7fff28cf7990 a3=6e65727275632f72 items=0 ppid=6186 pid=6190 auid=501 uid=0 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1352046735.674:50): avc: denied { getattr } for pid=6190 comm="sshd" path="/data" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir
----
time->Sun Nov 4 17:37:28 2012
type=USER_START msg=audit(1352047048.034:50): user pid=2080 uid=0 auid=501 ses=3 msg='op=login id=501 exe="/usr/sbin/sshd" hostname=192.168.27.1 addr=192.168.27.1 terminal=ssh res=success'
----
time->Mon Nov 5 09:05:10 2012
type=USER_LOGIN msg=audit(1352102710.879:50): user pid=2089 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.27.1 terminal=ssh res=failed'
----
time->Mon Nov 5 10:47:13 2012
type=CRED_DISP msg=audit(1352108833.787:50): user pid=1965 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'


[root@localhost ~]# ausearch -a 71
----
time->Sun Nov 4 17:32:21 2012
type=SYSCALL msg=audit(1352046741.296:71): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2ea2f690 a1=7fff2ea2f600 a2=7fff2ea2f600 a3=6e65727275632f72 items=0 ppid=6191 pid=6195 auid=501 uid=0 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1352046741.296:71): avc: denied { getattr } for pid=6195 comm="sshd" path="/data" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir
----
time->Sun Nov 4 17:40:32 2012
type=CRYPTO_KEY_USER msg=audit(1352047232.230:71): user pid=2099 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2100 suid=74 rport=49501 laddr=192.168.27.134 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.27.1 terminal=? res=success'
----
time->Mon Nov 5 09:06:37 2012
type=CRYPTO_KEY_USER msg=audit(1352102797.196:71): user pid=2109 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2110 suid=74 rport=51298 laddr=192.168.27.134 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.27.1 terminal=? res=success'
[/quote]

And now?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux and sftp

Post by TrevorH » 2012/11/05 11:56:36

[quote]
time->Sun Nov 4 17:32:15 2012
type=SYSCALL msg=audit(1352046735.674:50): arch=c000003e syscall=4 success=no exit=-13 a0=7fff28cf7a20 a1=7fff28cf7990 a2=7fff28cf7990 a3=6e65727275632f72 items=0 ppid=6186 pid=6190 auid=501 uid=0 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1352046735.674:50): avc: denied { getattr } for pid=6190 comm="sshd" path="/data" dev=dm-2 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir
[/quote]

This one says that /usr/sbin/sshd running as unconfined_u:system_r:chroot_user_t tried to access a resource in /data with context system_u:object_r:etc_runtime_t and this was not allowed. I'm not sure quite how to fix this since I don't know what the file with inum=2 is that it's trying to access. I suspect it's probably the entire directory.

mfuhrmann
Posts: 9
Joined: 2012/10/25 07:13:15

Re: selinux and sftp

Post by mfuhrmann » 2012/11/05 12:56:44

The directory /data is a mountpoint. This partition is provided by lvm.

[code]/dev/mapper/vg_srvftp0101-data on /data type ext4 (rw)[/code]

Does this fact affect selinux?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux and sftp

Post by TrevorH » 2012/11/05 13:35:52

What affects selinux is the path involved - it has a long list of file locations and the contexts to associate with those - so running

[code]
semanage fcontext -l
[/code]

will display a long list of them (though I recently learnt that it's not a complete list and there are others hidden away in the policy). If you grep that lot for chroot for example, on my system it shows a bunch of rules to allow named to run in a chroot but nothing for sftp/ssh.

I'm out of my comfort area with this now and unless you get replies from someone else, I'd recommend that you ask on the selinux mailing list about this as the experts tend to hang out there.

mfuhrmann
Posts: 9
Joined: 2012/10/25 07:13:15

Re: [SOLVED] selinux and sftp

Post by mfuhrmann » 2012/11/28 14:50:14

Here the solution:

[code]man ftpd_selinux[/code]
[code]
SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_con‐
tent_rw_t. These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con‐
tent_rw_t domain, you must set the appropriate boolean.

Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
lic_content_t file type to the directory and by restoring the file
type.

semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
restorecon -F -R -v /var/ftpd

Allow ftpd servers to read and write /var/tmp/incoming by adding the
public_content_rw_t type to the directory and by restoring the file
type. This also requires the allow_ftpdd_anon_write boolean to be set.

semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
restorecon -F -R -v /var/ftpd/incoming

If you want to allow tftp to modify public files used for public file
transfer services., you must turn on the tftp_anon_write boolean.

setsebool -P tftp_anon_write 1

If you want to allow ftp servers to upload files, used for public file
transfer services. Directories must be labeled public_content_rw_t.,
you must turn on the allow_ftpd_anon_write boolean.

setsebool -P allow_ftpd_anon_write 1

If you want to allow anon internal-sftp to upload files, used for pub‐
lic file transfer services, directories must be labeled public_con‐
tent_rw_t., you must turn on the sftpd_anon_write boolean.

setsebool -P sftpd_anon_write 1[/code]

sbonds
Posts: 5
Joined: 2014/09/19 08:17:48

Re: [SOLVED] selinux and sftp

Post by sbonds » 2018/02/28 14:14:59

For the benefit of future Google searchers with the same problem, namely that sshd running with a source context of sshd unconfined_u:system_r:chroot_user_t cannot access hardly anything, even the normally quite open public_content_rw_t, I found both a way to search for the correct boolean to set and the boolean needed for this specific context. If more details are needed, there is lots of good info in https://wiki.centos.org/HowTos/SELinux.

Here's how to search for booleans that might apply to this situation:

Code: Select all

sesearch --allow --show_cond --regex --source chroot_user_t --class file -p write --target public
That returns things like:

Code: Select all

DT allow chroot_user_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ ssh_chroot_full_access ]
DT allow chroot_user_t public_content_rw_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ ssh_chroot_full_access ]
DT allow chroot_user_t public_content_rw_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ ssh_chroot_full_access ]
DT allow chroot_user_t public_content_rw_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ ssh_chroot_full_access ]
To enable that access, enable the ssh_chroot_full_access boolean mentioned at the end of each line in the above search:

Code: Select all

setsebool -P ssh_chroot_full_access=1

Post Reply