selinux blocks access via sftp for chrooted user

you may want to install setroubleshoot. audit2allow is installed as part of that install.


If selinux blocks access via sftp for chrooted user

try:
grep denied /var/log/audit/audit.log | audit2allow -M postgreylocal

this is how postgrey will looks like and give permission to remove, rename, delete, create file/directory

module postgreylocal 1.0;

require {
        type user_home_t;
        type chroot_user_t;
        class dir { rename write rmdir remove_name create add_name };
        class file { write create unlink link setattr };
}

#============= chroot_user_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:dir { rename rmdir };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:dir { write remove_name create add_name };

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:file { unlink link };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:file { write create setattr };

after that run command
semodule -i postgreylocal.pp


Comments

Post a Comment

Popular posts from this blog

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks   1. Install fail2ban  sudo apt-get update ; sudo apt-get install fail2ban 2. create jail file vi /etc/fail2ban/jail.d/pihole-dns.conf [pihole-dns] enabled = true port     = 53 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/pihole.log findtime = 60 maxretry = 5 bantime = 3600   3. create filter file vi /etc/fail2ban/filter.d/pihole-dns.conf # Fail2Ban configuration file # # script from www.marek.tokyo # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dnsmasq # log example from /var/log/pihole.
Read more

How to clean DB from old logs in Magento 1.x

How to clean DB from old logs in Magento 1.x Using MySQL truncate log_customer ; truncate log_quote ; truncate log_summary ; truncate log_summary_type ; truncate log_url ; truncate log_url_info ; truncate log_visitor ; truncate log_visitor_info ; truncate log_visitor_online ;     login to shell(SSH)  go with root/shell folder. execute the below command inside the shell folder   php - f log . php clean   enter this command to view the log data's size php -f log.php status This method will help you to clean the log data's very easy way.  
Read more

How can I chroot sftp-only SSH users into their homes?

All this pain is thanks to several security issues as detailed here . Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.   sudo chown root /home/bob sudo chmod go-w /home/bob sudo mkdir /home/bob/writeable sudo chown bob:sftponly /home/bob/writeable sudo chmod ug+rwX /home/bob/writeable And bam, you can log in and write in /writeable . found at:  http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes
Read more