selinux blocks access via sftp for chrooted user

you may want to install setroubleshoot. audit2allow is installed as part of that install.


If selinux blocks access via sftp for chrooted user

try:
grep denied /var/log/audit/audit.log | audit2allow -M postgreylocal

this is how postgrey will looks like and give permission to remove, rename, delete, create file/directory

module postgreylocal 1.0;

require {
        type user_home_t;
        type chroot_user_t;
        class dir { rename write rmdir remove_name create add_name };
        class file { write create unlink link setattr };
}

#============= chroot_user_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:dir { rename rmdir };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:dir { write remove_name create add_name };

#!!!! This avc can be allowed using one of the these booleans:
#     ssh_chroot_rw_homedirs, ssh_chroot_full_access
allow chroot_user_t user_home_t:file { unlink link };

#!!!! This avc is allowed in the current policy
allow chroot_user_t user_home_t:file { write create setattr };

after that run command
semodule -i postgreylocal.pp


Comments

Post a Comment

Popular posts from this blog

Wazuh opensearch dashboard ConnectionError: connect ECONNREFUSED ::1:9200"

 Wazuh opensearch dashboard ConnectionError: connect ECONNREFUSED ::1:9200"    If you see error like this:  Aug 19 13:38:21 wazuh opensearch-dashboards[486]: {"type":"log","@timestamp":"2024-08-19T04:38:21Z","tags":["error","opensearch","data"],"pid":486,"message":"[ConnectionError]: connect ECONNREFUSED ::1:9200"} the problem is with missing host localhost IP at: (default is IPv6 and deamon is not listening on it) /etc/wazuh-dashboard/opensearch_dashboards.yml  opensearch.hosts: https://127.0.0.1:9200 #opensearch.hosts: https://localhost:9200
Read more

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks   1. Install fail2ban  sudo apt-get update ; sudo apt-get install fail2ban 2. create jail file vi /etc/fail2ban/jail.d/pihole-dns.conf [pihole-dns] enabled = true port     = 53 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/pihole.log findtime = 60 maxretry = 5 bantime = 3600   3. create filter file vi /etc/fail2ban/filter.d/pihole-dns.conf # Fail2Ban configuration file # # script from www.marek.tokyo # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dnsmasq #...
Read more

Reduce (shrink) and resize raw disk at Proxmox

 Reduce (shrink) and resize raw disk at Proxmox 1. Check the status of raw disk:   #e2fsck -fy /hdd-img/images/111/vm-111-disk-1.raw e2fsck 1.46.5 (30-Dec-2021) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /hdd-img/images/111/vm-111-disk-1.raw: 135279/327680000 files (1.8% non-contiguous), 857599886/1310720000 blocks  2. At first, check raw disk size:   #qemu-img info /hdd-img/images/111/vm-111-disk-1.raw image: /hdd-img/images/111/vm-111-disk-1.raw file format: raw virtual size: 4.88 TiB (5368709120000 bytes) disk size: 3.59 TiB  3. Resize filesystem: -M - will resize to the minimum size based on saved files -p - will display progress bar #resize2fs -M -p /hdd-img/images/111/vm-111-disk-1.raw resize2fs 1.46.5 (30-Dec-2021) Resizing the filesystem on /hdd-img/images/111/vm-111-disk-1.raw to 852166716 (4k) blocks....
Read more