CentOS - Feb 2010 - OpenSSH-5.3p1 selinux problem on CentOS-5.4.

Note: I am digest subscriber so if you could copy me directly on any
reply to the list I would appreciate it very much.

I sent this to the OpenSSH list (secureshell at securityfocus.com)
yesterday and received no response so I am asking here in hopes that
someone else has run across this problem on CentOS.

We have encountered a situation that requires sftp access to one of
our server by an outside agency.  This will be used for a data push
application only and we need to secure our server from trespass via
this access.  After a modest amount of research we decided that the
best answer was to use a more recent version of OpenSSH (5.3p1)that
supports chroot as a configurable option.

I obtained the software from the openssh.org website and built it
using the libedit packages from the CentOS testing repo.  These were
the option used:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

The new server software works fine for regular ssh/sftp users.
However, when logging on as a member of the chroot group we obtain
this error:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

I have found reports of this exact error via Google in several
places dating back to 2006, but these all seem to devolve into
either: this has been fixed in version x.y.z on distribution Q,
where x.y.z is less than 5.3 and Q is not CentOS.  Or, the selinux
filesystem has to be mounted inside the chroot directory.

Since I assume the former is never going to happen for CentOS, at
least not in time to do me any good, I am looking for an explanation
of what the latter means and how it is accomplished.  Our current
SELinux status on that host is:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

Our chroot directory path is:

/var/data/sshchroot

The questions are:

1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?

2. If so, then how is this accomplished?

3. If not, then is there anything else that I can do, besides
disabling selinux support in the sshd daemon, to get this to work?

Sincerely,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

James B. Byrne wrote:
> Note: I am digest subscriber so if you could copy me directly on any
> reply to the list I would appreciate it very much.
> 
<snip>
>  After a modest amount of research we decided that the
> best answer was to use a more recent version of OpenSSH (5.3p1)that
> supports chroot as a configurable option.
> 
I've not tested it, but I believe the chroot stuff was backported some 
while ago:

# rpm -q --changelog openssh | more
* Tue Dec 01 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-40
- close error file descriptor before running external subsystem (#537348)

* Tue Sep 15 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-36.2
- minimize chroot patch to be compatible with upstream (#522141)

* Tue Jun 23 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-36
- tiny change in chroot sftp capability into openssh-server solve ls 
speed problem (#440240)

* Tue May 26 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-35
- workaround to plaintext recovery attack against CBC ciphers 
CVE-2008-5161 (#502230)

* Fri May 15 2009 Tomas Mraz <tmraz at redhat.com> - 4.3p2-34
- disable protocol 1 in the FIPS mode

* Thu Apr 30 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-33
- fix scp hangup on exit (#454812)
- call integrity checks only on binaries which are part of the OpenSSH FIPS
   modules

* Mon Apr 20 2009 Tomas Mraz <tmraz at redhat.com> - 4.3p2-32
- log if FIPS mode is initialized (#492363)
- check the integrity of the binaries in the FIPS mode (#467268)

* Wed Apr 08 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-31
- fix ssh hangup on exit (#454812)

* Fri Mar 27 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-30
- add chroot sftp capability into openssh-server (#440240)

Instead, might the use of SCP (instead of sftp subsystem) and a limited 
shell be able to achieve your goal?
I found this when googling for "limited shell":
http://lshell.ghantoos.org/
Look at the "Use case".
There's also rbash, but on first glance lshell looks quite promising.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

James B. Byrne wrote:

<snip>
> 
> The new server software works fine for regular ssh/sftp users.
> However, when logging on as a member of the chroot group we obtain
> this error:
> 
> ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
> security_getenforce() failed
> 
<snip>
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 21
> Policy from config file:        targeted
> 
What happens if you enable SELinux, i.e, set it to enforcing? Do you 
still see the same error message above?

On Wed, February 3, 2010 12:02, Ned Slider wrote:
>
> What happens if you enable SELinux, i.e, set it to enforcing? Do you
> still see the same error message above?
>
I have rebuilt the thing without SELinux support and all seems to be
working now.  Since, other than the sftp user, there are only
administrative users that log into the target host via ssh this
seems an acceptable approach.  I am contemplating running the 5.3p1
version as a separate instance listening on a separate port instead
of replacing the CentOS version.

Thanks,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:
>
>>
>>
> Have you looked at using rssh as the users shell?  You can limit the
> user to a chroot sftp only. Its not stock, but ssh can then be.
>
> http://dag.wieers.com/rpm/packages/rssh/
>
I looked at rssh briefly yesterday when someone suggested it.  Had I
known of it before we started down this road then we might have used
it instead.  However, at the moment we seem to have a working
solution and so we will stick with that for now.

I am not sure what effect disabling SELinux support in SSH actually
has from a security standpoint.  So, if anyone cares to enlighten me
on the the consequences I would like to know.

Regards,


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3