Description of problem: The range for ephemeral_port_t defined in the SELinux policy does not match the default value of the net.ipv4.ip_local_port_range tunable which is used to bypass kernel security checks. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-283.17.fc27.noarch How reproducible: always the ranges are mismatched for older Fedoras and for RHEL 7 as well Steps to Reproduce: 1. Let sshd bind to ports 60999 and 61000 Port 22 Port 60999 Port 61000 and restart the service. Actual results: Nov 29 10:00:10 hostname sshd[10623]: error: Bind to port 61000 on 0.0.0.0 failed: Permission denied. Nov 29 10:00:10 hostname sshd[10623]: error: Bind to port 61000 on :: failed: Permission denied. Nov 29 10:00:10 hostname sshd[10623]: Server listening on 0.0.0.0 port 60999. Nov 29 10:00:10 hostname sshd[10623]: Server listening on :: port 60999. Expected results: The ranges match and kernel skips the checks just for processes trying to bind to ephemeral ports. Additional info: # semanage port -l | grep ephemeral_port_t ephemeral_port_t tcp 32768-61000 ephemeral_port_t udp 32768-61000 $ sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
It is still in place in Fedora 29: # semanage port -l | grep ephemeral_port_t ephemeral_port_t tcp 32768-61000 ephemeral_port_t udp 32768-61000 # sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999
commit 17994ab421f6d9516523f6d75d5d79e50b6c1140 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Dec 12 15:55:16 2018 +0100 Fixing range for ephemeral ports BZ(1518807) Range of ephemeral ports is 32768-60999 based on: # sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.