Mailing List Archive: openssh-5.3p1 chroot selinux error on CentOS-5.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/2/10 4:25 PM, James B. Byrne wrote:
> I built and installed openssh-5.3p1 on an x86_64 host running
> CentOs-5.4. These are the build options:
>

I have it working on CentOS 5.4. It was a PITA to get to work. Most
likely you are getting bit by selinux. Here is some stuff that may be of
help:

BUILD SCRIPT
============
[root@FOO openssh-5.3p1]# more run-config
#/bin/bash
PFX='/usr/local'
./configure \
--prefix=${PFX} \
--sysconfdir=${PFX}/etc/ssh \
--with-pam \
--with-lastlog \
--with-tcp-wrappers \
--with-md5-passwords \
--with-selinux \
--with-kerberos5 \

exit

CHANGES TO /etc/init.d/sshd
===========================
...
# pull in sysconfig settings
[ -f /usr/local/etc/sysconfig/sshd ] && . /usr/local/etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh/ssh_host_key
RSA_KEY=/usr/local/etc/ssh/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh/ssh_host_dsa_key
...

SSHD PAM STACK
==============
[root@FOO pam.d]# cat sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

ADDITIONS TO /etc/fstab
=======================
/selinux /PATH2CHROOT/chroot/selinux none bind,ro 0 0
/etc/selinux /PATH2CHROOT/chroot/etc/selinux none bind,ro 0 0
proc /PATH2CHROOT/chroot/proc proc defaults 0 0
sysfs /PATH2CHROOT/chroot/sys sysfs defaults 0 0
tmpfs /PATH2CHROOT/chroot/tmp tmpfs
noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0

CHROOT DIRECTORY REQUIREMENTS
=============================
[root@FOO chroot]# ll
drwxr-x--x 2 root root 4096 Jan 24 21:40 bin
drwxr-x--x 2 root root 4096 Jan 24 15:10 dev
drwxr-x--x 3 root root 4096 Jan 25 10:55 etc
drwxr-x--x 4 root root 4096 Jan 25 10:47 home
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64
dr-xr-xr-x 117 root root 0 Jan 24 01:12 proc
drwxr-xr-x 4 root root 0 Jan 24 01:12 selinux
drwxr-xr-x 11 root root 0 Jan 24 01:12 sys
drwxrwxrwt 2 root root 40 Jan 24 14:04 tmp
drwxr-x--x 5 root root 4096 Jan 24 15:35 usr
drwxr-x--x 3 root root 4096 Jan 24 16:14 var

[root@FOO chroot]# ll bin
total 2128
- -r-xr-xr-x 1 root root 801512 Jan 22 2009 bash
(and other stuff that you may want users to use)

[root@FOO chroot]# ll dev
crw-rw-rw- 1 root root 1, 3 Jan 24 15:02 null
crw-rw-rw- 1 root root 1, 8 Jan 24 15:07 random
lrwxrwxrwx 1 root root 15 Jan 24 15:09 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdout -> /proc/self/fd/1
cr--r--r-- 1 root root 1, 9 Jan 24 15:08 urandom
crw-rw-rw- 1 root root 1, 5 Jan 24 15:02 zero

# except for motd, all of the following is needed
# motd is needed if you have SSH display motd message
[root@FOO chroot]# ll etc
total 88
- -r--r--r-- 1 root root 80 Jan 24 21:39 bashrc
- -r--r--r-- 1 root root 266 Jan 25 10:50 group
- -r--r--r-- 1 root root 1257 Jan 24 20:52 hosts
- -r--r--r-- 1 root root 758 Sep 23 2004 inputrc
- -r--r--r-- 1 root root 118 May 8 2009 localtime
- -r--r--r-- 1 root root 2026 Jan 24 23:02 motd
- -r--r--r-- 1 root root 1696 Sep 23 2004 nsswitch.conf
- -r--r--r-- 1 root root 558 Jan 25 10:55 passwd
- -r--r--r-- 1 root root 739 Jan 24 22:16 profile
- -r--r--r-- 1 root root 149 Jan 24 20:55 resolv.conf
drwxr-x--x 3 root root 4096 Jan 22 11:00 selinux

# most lib + lib64 + /usr/lib + /usr/lib64
# exists so that name services works
# including making the bash command prompt work
[root@FOO chroot]# ll lib
- -rwxr-xr-x 1 root root 36348 Jan 20 22:11 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 824548 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 21876 Jan 20 22:11 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 46680 Jan 20 22:11 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 22692 Jan 20 22:11 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3200212 Oct 27 14:01 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 42372 Jan 20 22:11 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 51636 Jan 20 22:11 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so

[root@FOO chroot]# ll lib64
- -rwxr-xr-x 1 root root 139416 Jan 20 18:43 ld-2.5.so
lrwxrwxrwx 1 root root 9 Jan 24 15:59 ld-linux-x86-64.so.2 ->
ld-2.5.so
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libacl.so.1 -> libacl.so.1.1.0
- -rwxr-xr-x 1 root root 28008 May 24 2008 libacl.so.1.1.0
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libattr.so.1 -> libattr.so.1.1.0
- -rwxr-xr-x 1 root root 17888 Jan 6 2007 libattr.so.1.1.0
- -rwxr-xr-x 1 root root 1717800 Jan 20 18:43 libc-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libcom_err.so.2 ->
libcom_err.so.2.1
- -rwxr-xr-x 1 root root 10000 Sep 3 19:53 libcom_err.so.2.1
- -rwxr-xr-x 1 root root 48600 Jan 20 18:43 libcrypt-2.5.so
- -rwxr-xr-x 1 root root 1366208 Jan 20 15:56 libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libcrypto.so.6 ->
libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libcrypt.so.1 -> libcrypt-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libc.so.6 -> libc-2.5.so
- -rwxr-xr-x 1 root root 23360 Jan 20 18:43 libdl-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 libdl.so.2 -> libdl-2.5.so
- -rwxr-xr-x 1 root root 9472 Jan 6 2007 libkeyutils-1.2.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libkeyutils.so.1 ->
libkeyutils-1.2.so
- -rwxr-xr-x 1 root root 615136 Jan 20 18:43 libm-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libm.so.6 -> libm-2.5.so
- -rwxr-xr-x 1 root root 43040 Jan 20 18:43 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 791456 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 23736 Jan 20 18:43 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 53880 Jan 20 18:43 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 24736 Jan 20 18:43 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3165384 Oct 27 13:56 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 53432 Jan 20 18:43 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 62944 Jan 20 18:43 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 145824 Jan 20 18:43 libpthread-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libpthread.so.0 ->
libpthread-2.5.so
- -rwxr-xr-x 1 root root 92736 Jan 20 18:43 libresolv-2.5.so
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libresolv.so.2 ->
libresolv-2.5.so
- -rwxr-xr-x 1 root root 53448 Jan 20 18:43 librt-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 librt.so.1 -> librt-2.5.so
- -rwxr-xr-x 1 root root 95464 Sep 3 23:00 libselinux.so.1
- -rwxr-xr-x 1 root root 247496 Sep 3 20:35 libsepol.so.1
- -rwxr-xr-x 1 root root 306568 Jan 20 15:56 libssl.so.0.9.8e
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libssl.so.6 -> libssl.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libtermcap.so.2 ->
libtermcap.so.2.0.8
- -rwxr-xr-x 1 root root 15584 Jan 6 2007 libtermcap.so.2.0.8

[root@FOO chroot]# ll usr
drwxr-x--x 2 root root 4096 Jan 24 16:40 bin
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64

[root@FOO chroot]# ll usr/lib
- -rwxr-xr-x 1 root root 1187124 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 373992 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_compat.so ->
../../lib/libnss_compat.so.2
lrwxrwxrwx 1 root root 24 Jan 24 21:16 libnss_db.so ->
../../lib/libnss_db.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_dns.so ->
../../lib/libnss_dns.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_files.so ->
../../lib/libnss_files.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_hesiod.so ->
../../lib/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_ldap.so ->
../../lib/libnss_ldap.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_nisplus.so ->
../../lib/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_nis.so ->
../../lib/libnss_nis.so.2
- -rwxr-xr-x 1 root root 96924 Jul 27 2009 libnssutil3.so

[root@FOO chroot]# ll usr/lib64
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libgssapi_krb5.so.2 ->
libgssapi_krb5.so.2.2
- -rwxr-xr-x 1 root root 190976 Jan 13 00:17 libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libk5crypto.so.3 ->
libk5crypto.so.3.1
- -rwxr-xr-x 1 root root 153624 Jan 13 00:17 libk5crypto.so.3.1
lrwxrwxrwx 1 root root 14 Jan 24 15:59 libkrb5.so.3 -> libkrb5.so.3.3
- -rwxr-xr-x 1 root root 613896 Jan 13 00:17 libkrb5.so.3.3
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libkrb5support.so.0 ->
libkrb5support.so.0.1
- -rwxr-xr-x 1 root root 35728 Jan 13 00:17 libkrb5support.so.0.1
lrwxrwxrwx 1 root root 21 Jan 24 15:59 liblber-2.3.so.0 ->
liblber-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 59040 Jan 21 2009 liblber-2.3.so.0.2.31
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libldap-2.3.so.0 ->
libldap-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 241360 Jan 21 2009 libldap-2.3.so.0.2.31
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libncurses.so.5 ->
libncurses.so.5.5
- -rwxr-xr-x 1 root root 380336 Jan 6 2007 libncurses.so.5.5
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libncursesw.so.5 ->
libncursesw.so.5.5
- -rwxr-xr-x 1 root root 413488 Jan 6 2007 libncursesw.so.5.5
- -rwxr-xr-x 1 root root 1221496 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 492960 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_compat.so ->
../../lib64/libnss_compat.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_db.so ->
../../lib64/libnss_db.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_dns.so ->
../../lib64/libnss_dns.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_files.so ->
../../lib64/libnss_files.so.2
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_hesiod.so ->
../../lib64/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_ldap.so ->
../../lib64/libnss_ldap.so.2
lrwxrwxrwx 1 root root 31 Jan 24 21:16 libnss_nisplus.so ->
../../lib64/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_nis.so ->
../../lib64/libnss_nis.so.2
- -rwxr-xr-x 1 root root 119696 Jul 27 2009 libnssutil3.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libsasl2.so.2 ->
libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 105464 Sep 4 00:05 libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 805656 Sep 20 02:26 libtcl8.4.so
lrwxrwxrwx 1 root root 13 Jan 24 15:59 libz.so.1 -> libz.so.1.2.3
- -rwxr-xr-x 1 root root 85608 Jan 9 2007 libz.so.1.2.3

PASSWD MUNGE
============
entry in /etc/passwd
footest:x:505:505:Chroot Test
Account:/PATH2CHROOT/chroot/home/footest:/bin/bash

entry in /PATH2CHROOT/chroot/etc/passwd
footest:x:505:505:Chroot Test Account:/home/footest:/bin/bash

Also, in chroot-ed passwd and group file, strip out all non-chroot-ed
users and groups, except for root.

PROFILE MUNGE
=============
copy /etc/profile to /PATH2CHROOT/chroot/etc/profile and add the
following code to the top of the file:

# CHROOT environment for login setup
# Special setup for chroot
HOME=$(echo ${HOME} | sed 's^/PATH2CHROOT/chroot^^')
export HOME
PWD=${HOME}
export PWD
cd ${HOME}
umask 002
# end chroot setup

FINAL NOTES
===========
1) I have not tried to make syslog work. It should be rather straight
forward, but I just have not had time to set it up.

2) I am attaching a template that can be used to build the chroot
environment. It has been tested exactly once. YMMV. (Assuming it makes
it past the mailing list filter!)

I hope this fixes your problem.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler@aset.com or Jon.R.Kibler@gmail.com
s: JonRKibler
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt3r9MACgkQUVxQRc85QlPmZACgmYQ9z3Ji9TrUY9Qq372SpwTq
9OEAnikPvbaPr9f1EPPt3u7q9Qe57872
=YOSg
-----END PGP SIGNATURE-----

Mailing List Archive

Mailing List Archive

Attached Files: