I always configured SFTP on Centos 6 like this:
https://www.linuxtechi.com/configure-chroot-sftp-in-linux/
Where in the comment this item appeared:
setsebool -P ssh_chroot_full_access on
From the docs at https://linux.die.net/man/8/ssh_selinux:
If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
However, CentOS 7 complains:
SELinux boolean ssh_chroot_full_access does not exist.
What is the proper CentOS7 way to do this?
The command getsebool -a | grep ssh on my CentOS 7 shows
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off
so based on your question the command
setsebool -P fenced_can_ssh on
should fix it.
But you could also go the "hard" way and install the setroubleshoot-server and policycoreutils-python package with:
yum -y install setroubleshoot-server policycoreutils-python
and then temporarily set SELinux mode to permissive with
setenforce Permissive
After that try whatever did not work previously. It should work now.
Now take a look at the following file /var/log/audit/audit.log. It usually shows problems SELinux found.
grep -i "denied" /var/log/audit/audit.log
If you get no denied messages in the log it is possible that SELinux thinks the event would produce to much log so it did not log it. You can enable logging of all events in this case with
semodule -DB
But make sure you turn it back to normal with semodule -B at the end of troubleshooting.
If you found problems you can now use the audit2allow tool to create a policy module for your needs. audit2allow has many options, so you should first read ALLOWING ACCESS: AUDIT2ALLOW to get used with audit2allow.
Don't forget to turn on SELinux againg and (if changed) enable reduced logging!
setenforce permissive
semodule -B
fenced_can_ssh --> off ssh_chroot_full_access --> on
– Rob Audenaerde
Feb 27 '19 at 08:46
audit2whytells (it can suggest relevant booleans too). – sebasth Feb 26 '19 at 10:01