I have a directory that I need to share via https and sftp. I have tried labeling the directory as httpd_sys_content_t and public_content_t. This allows httpd access to the directory but not sftp via ssh. If I change the label to chroot_user_t then ssh works but httpd can't access the data.
# cat /var/log/secure Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/data"): Permission denied
# ls -lZ drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 data
# cat /var/log/audit/audit.log type=AVC msg=audit(1391012447.734:1292): avc: denied { getattr } for pid=7910 comm="sshd" path="/data" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
I have https working as I am currently using public_content_t. I know that the public_content_t allows HTTP Sever, FTP, rsync, and Samba but sftp is not listed. So I have 2 questions: 1) How can I allow sftp access to /data? 2) Why isn't sftp allowed to read public_content_t labels?
Thanks, George
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/29/2014 11:04 AM, George Myer wrote:
I have a directory that I need to share via https and sftp. I have tried labeling the directory as httpd_sys_content_t and public_content_t. This allows httpd access to the directory but not sftp via ssh. If I change the label to chroot_user_t then ssh works but httpd can't access the data.
# cat /var/log/secure Jan 27 13:50:25 www sshd[8872]: fatal: safely_chroot: stat("/data"): Permission denied
# ls -lZ drwxr-xr-x. root anonymous system_u:object_r:public_content_t:s0 data
# cat /var/log/audit/audit.log type=AVC msg=audit(1391012447.734:1292): avc: denied { getattr } for pid=7910 comm="sshd" path="/data" dev=dm-4 ino=2 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
I have https working as I am currently using public_content_t. I know that the public_content_t allows HTTP Sever, FTP, rsync, and Samba but sftp is not listed. So I have 2 questions: 1) How can I allow sftp access to /data? 2) Why isn't sftp allowed to read public_content_t labels?
Thanks, George
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Easiest is to just write a custom policy module allowing rsync_t to read public_content_t.
selinux@lists.fedoraproject.org