SOLVED: SFTP Fatal in Selinux Log

Problem

When trying to configure sftp, you encounter “fatal: safely_chroot permission denied” in your SElinux audit.log.

Problem Scenario:

When you disable selinux with setenforce 0, sftp works.

When you enable selinux with setenforce 1, sftp fails and gives an error like:
Aug 7 18:01:19 server1 sshd[36015]: fatal: safely_chroot: stat(“/var/www”): Permission denied

Important facts:

You must have:
setsebool -P ssh_chroot_rw_homedirs=1
This will often error if you have an sftp user that also has a login shell (a big no-no), set it to /sbin/nologin with:
usermod -s /sbin/nologin mySFTPUser

But sftp still won’t work because the internal SELinux policies don’t allow sftp chroot. Create a custom SELinux policy to allow the chroot using audit2allow:
yum install setroubleshoot (to get audit2allow)

or

yum install policycoreutils-python (alternate package with audit2allow)
cd /root
grep chroot_user_t /var/log/audit/audit.log | audit2allow -M sftp_chroot_custom_policy > sftp_chroot_custom_policy.text
semodule -i sftp_chroot_custom_pol.pp

NOTE: The normal out put of this would be the .pp file generated by the -M flag. The .text file contains the human readable equivalent. You must use the .pp binary file with the semodule -i command.

This applies to Centos 6. It may apply to other Linux operating systems.

See our Linux Support and Consulting for more information on how we can help you or simply visit our IT Services Page.