Secure Shell
openssh-5.3p1 chroot selinux error on CentOS-5.4 Feb 02 2010 09:25PM
James B. Byrne (byrnejb harte-lyne ca)
I built and installed openssh-5.3p1 on an x86_64 host running
CentOs-5.4. These are the build options:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

OpenSSH has been configured with the following options:
User binaries: /opt/bin
System binaries: /opt/sbin
Configuration files: /opt/etc
Askpass program: /opt/libexec/ssh-askpass
Manual pages: /opt/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: yes
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security
-fstack-protector-all -std=gnu99
Preprocessor flags:
Linker flags: -fstack-protector-all
Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
+for sshd: -lwrap -lpam -ldl -lselinux

I have also set up a chroot environment. When I attempt to logon
via sftp then I see this:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

My sestatus on this host is:

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

I searched for this error and found a number of hits specific to
various distributions. I found one thread that said the following:

i am using openssh with libpam_chroot to have a chrooted login but
following error message denies access for chrooted uses

sshd[14644]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed

. . .

This fix is in OpenSSH 4.9p1

I am not sure that this is exactly what I am encountering. I am
using the following sshd_config directives to define the chroot

# These lines must appear at the *end* of sshd_config
Match Group sshchroot
AllowTcpForwarding no
ChrootDirectory /var/data/%h
ForceCommand internal-sftp

Have I a misconfiguration problem or is this a bug?

I have read that I can avoid this by building openssh without the
selinux option. I am not certain that this is the best way to go

*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB (at) Harte-Lyne (dot) ca [email concealed]
Harte & Lyne Limited
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus