sshd listens on port 22 (and only port 22) by default, but can be configured to listen on any number of arbitrary ports in sshd_config(5).
On several of my systems, I have configured sshd to listen on a reserved port (that is, one less than 1024) other than port 22. This is because I want to hide sshd from ankle-biting script kiddies that swarm the Internet looking for ssh daemons to brute-force or otherwise attack, but I don't want to run sshd on a high port that any random user can bind to.
However, the SELinux targeted policy blocks sshd from listening on any port less than 1024 other than 22, even when run by root.
Try as I might, I cannot fathom the motivation for this restriction. What is it?
For now, I am setting the "allow_ypbind" SELinux boolean to true, which disables the restriction on sshd binding on a reserved port other than 22. But from inspecting the selinux-policy source RPM, setting allow_ypbind to true also permits a vast swath of other bindings that I don't need and don't want.
Therefore, please either remove the restriction on sshd binding on reserved ports other than 22, or else provide a new SELinux boolean (e.g., allow_sshd_bind_reserved) that will permit sshd to bind on any reserved port when set to true.
(Alternate suggestions are welcome, but these are the two most reasonable courses of action that I can think of.)
# semanage port -a -t ssh_port_t -p tcp 1023
I googled for sshd listening on different port selinux
And I came up with
Sadly I did not write it.
Ah, but sealert only suggests twiddling the allow_ypbind boolean. That's why I didn't explore other possible ways to permit sshd to bind to alternate ports.
If it is reasonable to do so, it would be a good thing to have sealert suggest:
/usr/sbin/semanage port -a -t ssh_port_t -p tcp DENIED_PORT
Even a suggestion like "the semanage command can also be used to permit this access; please read the man page for examples" would be helpful...
Could you attach the actual avc message that you got and I will look to see why that suggestion came up.
Created attachment 442919 [details]
full message from sealert
Here's the complete message from sealert.
Note that this line:
[sshd has a permissive type (sshd_t). This access was not denied.]
...is absolutely wrong; SELinux was in enforcing mode and (correctly) denied the access:
$ grep sshd /var/log/messages
2010-09-03T10:57:40.584263-04:00 example sshd: error: Bind to port 822 on 0.0.0.0 failed: Permission denied.
2010-09-03T10:57:40.584631-04:00 example sshd: error: Bind to port 822 on :: failed: Permission denied.
2010-09-03T10:57:40.584923-04:00 example sshd: fatal: Cannot bind any address.
The permissive line is keyed off of success=yes in the AVC. Which means the system service returned success
Fixed the bind_connect.py plugin to match on hi_reserved_port_t in
setroubleshoot-plugins-2.1.61-1.fc13 has been submitted as an update for Fedora 13.
setroubleshoot-plugins-2.1.61-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.61-1.fc13
Yes, that's much better; positive karma added to bodhi. Thanks!
setroubleshoot-plugins-2.1.61-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.