RH6: chroot SSH environment ( NOT sftp )

Seaching Google for a solution for chrooting an SSH environment on RedHat Enterprtise linux 6 gave me many many non-solutions

It took me a long time figuring out how to create an chrooted ssh environment with SELinux in enforcing state.

This is what I did to get it to work :


Add group and user


groupadd -g 1010 ${GROUP}
useradd -u 1010 -g ${GROUP} -M -d /home/${USER} ${USER}


Add to [ /etc/ssh/sshd_config ] and restart sshd after modification

 Match group sshusers
ChrootDirectory /chroot
X11Forwarding no
AllowTcpForwarding no


Create directories and special files

mkdir -p ${BASE}/{dev,etc,lib,lib64,usr/bin,bin,home}
mknod ${BASE}/dev/null c 1 3
mknod ${BASE}/dev/zero c 1 5
mknod -m 666 ${BASE}/dev/tty c 5 0
mknod -m 666 ${BASE}/dev/ptmx c 5 2

mkdir -p ${BASE}/home/${USER}
chown ${USER}: ${BASE}/home/${USER}
chmod 700 ${BASE}/home/${USER}


Download and use the script below to copy binaries plus shared libraries to the chrooted environment :

cd /usr/sbin
wget https://www.unixinfo.nl/chroot/l2root
chmod u+x /usr/sbin/l2root
## change the variable BASE in this script ##

#  l2root /bin/bash
Copying [/bin/bash] to /chroot
Copying shared files/libs to /chroot

#  l2root /bin/ls
Copying [/bin/ls] to /chroot
Copying shared files/libs to /chroot


When using a chroot always make sure that the environment labels are identical to the default configuration.

 setfiles -r ${BASE} /etc/selinux/targeted/contexts/files/file_contexts ${BASE}


This will label a chroot environment under /chroot with the same labels as the main environment.

Additionally, we need to add a policy to make the chroot_user_t an unconfined_domain since we don’t allow ssh_chroot_t to transition to unconfined (this fix will be available in the next RHEL6 selinux-policy update)

1) Create a file mychrootuser.te with the following content:

# mkdir /root/sepolicy ; cd /root/sepolicy

# vi mychrootuser.te


require {
type unconfined_t;
type chroot_user_t;

#============= chroot_user_t ==============
allow chroot_user_t unconfined_t:process transition;


2) Then make and install the policy file

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mychrootuser.pp


Reason  why the above policy needs to be applied is that RedHat does not allow ssh_chroot_t to transition to unconfined_t , the option in RHEL6 is to to make chroot_user_t an unconfined_domain. This fix will be included in the next selinux-policy package.

In the RHEL7 openssh version RedHat dropped the sftp-chroot patch which removed usage of sftp_t and chroot_user_t and reverted back to the system configured SELinux users instead (guest_u for chrooted users).


Now test the chrooted environment :

# ssh sshuser1@localhost
sshuser1@localhost’s password:
Last login: Wed Aug  6 13:04:05 2014 from localhost

-bash-4.1$ pwd

-bash-4.1$ cd /dev
-bash-4.1$ ls -la
total 12
drwxr-xr-x.  3 0 0 4096 Aug  6 10:59 .
drwxr-xr-x. 10 0 0 4096 Aug  6 11:01 ..
drwxr-xr-x.  2 0 0 4096 Aug  6 10:59 pts
crw-rw-rw-.  1 0 0 5, 0 Aug  6 10:59 tty


Now you can start extending the chrooted environment with the needed binaries, config files etc …

Leave a comment

Your email address will not be published.


Fix this before you comment on this post * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.