Bug 629348
Summary: | selinux prevents sshd from listening on alternate reserved port | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Ralston <ralston> | ||||
Component: | setroubleshoot-plugins | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 13 | CC: | dwalsh, jdennis, mgrepl | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | setroubleshoot-plugins-2.1.61-1.fc13 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-09-11 08:57:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
James Ralston
2010-09-01 18:14:12 UTC
# semanage port -a -t ssh_port_t -p tcp 1023 I googled for sshd listening on different port selinux And I came up with http://equivocation.org/node/124 Sadly I did not write it. Ah, but sealert only suggests twiddling the allow_ypbind boolean. That's why I didn't explore other possible ways to permit sshd to bind to alternate ports. If it is reasonable to do so, it would be a good thing to have sealert suggest: /usr/sbin/semanage port -a -t ssh_port_t -p tcp DENIED_PORT Even a suggestion like "the semanage command can also be used to permit this access; please read the man page for examples" would be helpful... Could you attach the actual avc message that you got and I will look to see why that suggestion came up. Created attachment 442919 [details]
full message from sealert
Here's the complete message from sealert.
Note that this line:
[sshd has a permissive type (sshd_t). This access was not denied.]
...is absolutely wrong; SELinux was in enforcing mode and (correctly) denied the access:
$ getenforce
Enforcing
$ grep sshd /var/log/messages
2010-09-03T10:57:40.584263-04:00 example sshd[21944]: error: Bind to port 822 on 0.0.0.0 failed: Permission denied.
2010-09-03T10:57:40.584631-04:00 example sshd[21944]: error: Bind to port 822 on :: failed: Permission denied.
2010-09-03T10:57:40.584923-04:00 example sshd[21944]: fatal: Cannot bind any address.
The permissive line is keyed off of success=yes in the AVC. Which means the system service returned success Fixed the bind_connect.py plugin to match on hi_reserved_port_t in setroubleshoot-plugins-2.1.61-1.fc13 setroubleshoot-plugins-2.1.61-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.61-1.fc13 setroubleshoot-plugins-2.1.61-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.61-1.fc13 Yes, that's much better; positive karma added to bodhi. Thanks! setroubleshoot-plugins-2.1.61-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |