openssh-5.3p1 chroot selinux error on CentOS-5.4

I built and installed openssh-5.3p1 on an x86_64 host running
CentOs-5.4. These are the build options:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

OpenSSH has been configured with the following options:
User binaries: /opt/bin
System binaries: /opt/sbin
Configuration files: /opt/etc
Askpass program: /opt/libexec/ssh-askpass
Manual pages: /opt/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: yes
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security
-fstack-protector-all -std=gnu99
Preprocessor flags:
Linker flags: -fstack-protector-all
Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
+for sshd: -lwrap -lpam -ldl -lselinux

I have also set up a chroot environment. When I attempt to logon
via sftp then I see this:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

My sestatus on this host is:

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

I searched for this error and found a number of hits specific to
various distributions. I found one thread that said the following:

i am using openssh with libpam_chroot to have a chrooted login but
following error message denies access for chrooted uses

sshd[14644]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed

. . .

This fix is in OpenSSH 4.9p1

I am not sure that this is exactly what I am encountering. I am
using the following sshd_config directives to define the chroot

# These lines must appear at the *end* of sshd_config
Match Group sshchroot
AllowTcpForwarding no
ChrootDirectory /var/data/%h
ForceCommand internal-sftp

Have I a misconfiguration problem or is this a bug?

I have read that I can avoid this by building openssh without the
selinux option. I am not certain that this is the best way to go

*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

Relevant Pages

  • Announce: OpenSSH 4.4 released
    ... OpenSSH 4.4 has just been released. ... implementation and includes sftp client and server support. ... code or patches, reported bugs, tested snapshots and purchased ... #1173 - scp reports lost connection for very large files. ...
  • Re: Kerberos, external-keyx authentication, Mac OS X
    ... OpenSSH has been configured with the following options: ... PAM support: no ... debug1: Connecting to port 22. ... If you use Kerberos in the ...
  • OpenSSH 4.0 released
    ... OpenSSH 4.0 has just been released. ... implementation and includes sftp client and server support. ... AllowGroups and DenyGroups (Bugzilla #909) ...
  • OpenSSH 4.1 released
    ... OpenSSH 4.1 has just been released. ... implementation and includes sftp client and server support. ... to abort the connection (bugzilla #896) ...
  • RE: SSHD with Secured authentication, using RSA PAM client
    ... using RSA PAM client ... I have deployed Openssh aling with SecurID, Id recommend you to get openssh ... UNIX/Jboss Administrator- IT Convergence Support Services ... of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. ...