SELinux – Using in a Chroot Environment

linuxselinuxssh

I need to change selinux policy for /etc/ssh/sshd_config in a chroot environment designed to rescue my system (on a dedibox) : it actually does not have any selinux context defined and then sshd won't start.

But in the default chroot environment (offered by online.net), selinux is disabled : that means that I cannot change any policy, I fall on the 'cannot downgrade file' error. So I need to chroot from scratch.

So how could I chroot with selinux enabled (which is in the original env) in fedora 25 server (rescued OS/selinux enabled) with ubuntu 18 (rescue OS/selinux disabled), so I could change sshd_config selinux policy ?

Best Answer

You can also touch /.autorelabel on the root partition of the system you want to boot. This will trigger a restorecon on the whole system at the next boot, and should fix the issue. The process will reboot the machine once the relabeling is done. Be aware that, depending on the disk and amount of files, this process can take quite long.

Another option would be to use extended attributes xattr to set the selinux contexts. This is actually where selinux file related information is stored and can be modified with getfattr and setfattr using -m security.selinux.

A third way to fixing your issue can be to switch selinux into permissive mode using kernel boot options by adding the option enforcing=0.

Related Solutions

Ubuntu SSH Login – Permission Denied, Please Try Again

Are you certain that the user account you're attempting to access is correctly configured? If you log in as root on the system, can you su to the user account?

# su - username

What do you see in your logs after a failed connection attempt? On many systems, sshd will log to something /var/log/secure or /var/log/auth.log. Also, I note that you have PasswordAuthentication enabled but ChallengeResponseAuthentication disabled. Do you see the same behavior if you enable ChallengeResponseAuthentication?

Here are some general diagnostic steps to use when you have ssh problems:

Enable verbose diagnostics in ssh:
```
ssh -v host.example.com
```
This will cause the client to output a variety of diagnostic messages as it negotiates the connection. This will often provide a clue to the problem.
Run the server in debug mode.

On your server, stop sshd, then run it from the command line like this:
```
/usr/sbin/sshd -d
```
This will produce verbose debug logging on stderr that will very often contain useful information.

If neither of these helps you figure out what's going on, would you add the output to your question?

Permission denied: could not create /var/run/httpd.pid in Apache

I just figure out what issue. This is our environment:

RedHat 5 with latest apache RPM

When you look at the error logs it complains about not been able to create the httpd.pid, under the "run" dir. It didn't make sense because that directory had the correct context for read/write "httpd_sys_rw_content_t" (which I had to find from "/etc/selinux/targeted/contexts/customizable_types".

I realized (after hours of searching) that on the error log it doesn't give you the full path, but when apache stars it chroot dir to "/home/httpdjail".

Under this folder I found another "run" dir. After changing the permissions to:

chcon -Rv -t httpd_sys_content_rw_t /home/httpdjail/

IT WORKED!! ^^

I'm guessing if you give the right permissions to your "/chroot/httpd" it will fix your issue.

Hope this help!

Best Answer

Related Solutions

Ubuntu SSH Login – Permission Denied, Please Try Again

Permission denied: could not create /var/run/httpd.pid in Apache

Related Topic