Scribd
Upload
67 views6 pages

SFTP Selinux Setup Guide

This guide outlines the steps to set up an SFTP user with a chroot jail and configure SELinux policies. It includes creating a user without a home directory, setting up the necessary directory structure, configuring SSH for SFTP access, and adjusting SELinux contexts. Additionally, it explains how to use the `audit2allow` and `semodule` commands to manage SELinux denials and install the generated policy module.

Uploaded by

gvdznnj68w
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
67 views6 pages

SFTP Selinux Setup Guide

This guide outlines the steps to set up an SFTP user with a chroot jail and configure SELinux policies. It includes creating a user without a home directory, setting up the necessary directory structure, configuring SSH for SFTP access, and adjusting SELinux contexts. Additionally, it explains how to use the `audit2allow` and `semodule` commands to manage SELinux denials and install the generated policy module.

Uploaded by

gvdznnj68w
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

SFTP User Setup and SELinux Policies Guide

## SFTP User Setup with Chroot Jail and SELinux

### 1. Create the User Without a Home Directory

```bash

sudo useradd -M -s /sbin/nologin user1

sudo passwd user1

```

### 2. Set Up the Directory Structure

Create the chroot directory and upload folder:

```bash

sudo mkdir -p /data1/med/vlr/uploads

sudo chown root:root /data1/med/vlr

sudo chmod 755 /data1/med/vlr

sudo chown user1:user1 /data1/med/vlr/uploads

sudo chmod 755 /data1/med/vlr/uploads

```
### 3. Configure SSH for SFTP Access

Edit `/etc/ssh/sshd_config`:

```plaintext

Match User user1

ForceCommand internal-sftp

ChrootDirectory /data1/med/vlr

AllowTcpForwarding no

X11Forwarding no

PermitTunnel no

```

Restart SSH:

```bash

sudo systemctl restart sshd

```

### 4. Adjust SELinux Contexts

Set the correct SELinux context:

```bash
sudo semanage fcontext -a -t ssh_home_t "/data1/med/vlr(/.*)?"

sudo restorecon -Rv /data1/med/vlr

```

If SELinux blocks SFTP, use `audit2allow`:

```bash

sudo ausearch -m AVC,USER_AVC -ts recent

sudo audit2allow -a -M sftp_chroot_policy

sudo semodule -i sftp_chroot_policy.pp

```

---

## SELinux Commands: audit2allow and semodule

### 1. sudo audit2allow -a -M sftp_chroot_policy

This command analyzes recent SELinux denials and generates a policy module to allow them.

- **audit2allow**: Converts SELinux denials from the audit logs into a policy rule.

- **-a**: Reads all recent denials from `/var/log/audit/audit.log`.

- **-M sftp_chroot_policy**: Creates a local policy module named `sftp_chroot_policy`.


**Example Output:**

```

******************** IMPORTANT ***********************

To make this policy package active, execute:

semodule -i sftp_chroot_policy.pp

*****************************************************

```

### 2. sudo semodule -i sftp_chroot_policy.pp

Installs the compiled policy package `sftp_chroot_policy.pp`.

---

### Full Workflow Example

1. **Check for Recent Denials:**

```bash

sudo ausearch -m AVC,USER_AVC -ts recent

```
2. **Generate a Policy:**

```bash

sudo audit2allow -a -M sftp_chroot_policy

```

3. **Install the Policy:**

```bash

sudo semodule -i sftp_chroot_policy.pp

```

4. **Verify:**

```bash

sudo ausearch -m AVC,USER_AVC -ts recent

```

---

### Understanding the Generated Policy

Example `sftp_chroot_policy.te`:
```

module sftp_chroot_policy 1.0;

require {

type sshd_t;

type default_t;

class dir write;

allow sshd_t default_t:dir write;

```

You might also like