Description of problem: Brand new install of Fedora 17. Actioning basic post-install security steps. Step 1: move ssh to another port. * edit /etc/ssh/sshd_config and specify port=NNNNN * systemctl restart sshd This was hindered by SELinux. Most end-users will eventually find and execute poor advice, setting SELinux to permissive or otherwise disabling it. It would be better if the ssh program expressed its reasonable need to be able to be moved to other ports. Additional info: libreport version: 2.0.18 kernel: 3.6.10-2.fc17.x86_64 description: :SELinux is preventing /usr/sbin/sshd from 'name_bind' accesses on the tcp_socket . : :Sshd should be allowed name_bind access on the tcp_socket by default. Changing the ssh port is far to common of a step, taken by security conscious end-users as a safety measure, for it to be made more difficult by SELinux restrictions. : :***** Plugin bind_ports (99.5 confidence) suggests ************************* : :If you want to allow /usr/sbin/sshd to bind to network port NNNNN :Then you need to modify the port type. :Do :# semanage port -a -t PORT_TYPE -p tcp NNNNN : where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t. : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If you believe that sshd should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sshd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:unreserved_port_t:s0 :Target Objects [ tcp_socket ] :Source sshd :Source Path /usr/sbin/sshd :Port NNNNN :Host (removed) :Source RPM Packages openssh-server-5.9p1-28.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue : Dec 11 18:07:34 UTC 2012 x86_64 x86_64 :Alert Count 7 :First Seen 2012-12-28 21:25:52 CST :Last Seen 2012-12-28 21:32:20 CST :Local ID d6468a4d-7086-4f51-a448-8badd3057c68 : :Raw Audit Messages :type=AVC msg=audit(1356751940.299:250): avc: denied { name_bind } for pid=2892 comm="sshd" src=NNNNN scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1356751940.299:250): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fda401a4740 a2=1c a3=7fff3ae04654 items=0 ppid=1 pid=2892 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) : :Hash: sshd,sshd_t,unreserved_port_t,tcp_socket,name_bind : :audit2allow : :#============= sshd_t ============== :#!!!! This avc can be allowed using the boolean 'allow_ypbind' : :allow sshd_t unreserved_port_t:tcp_socket name_bind; : :audit2allow -R : :#============= sshd_t ============== :#!!!! This avc can be allowed using the boolean 'allow_ypbind' : :allow sshd_t unreserved_port_t:tcp_socket name_bind; : : :I'm insufficiently familiar with all of the options for how this can be accompished with SELinux. The goal is to eliminate the need for ANY extra steps on the part of the end-user other than specifying Port=NNNNN in the /etc/ssh/sshd_config configuration file and restarting sshd.
Created attachment 670265 [details] File: type
Created attachment 670266 [details] File: hashmarkername
Yes, this is correct. You will need to execute # semanage port -a -t PORT_TYPE -p tcp NNNNN where PORT_TYPE is one of the following: ssh_port_t if you change the default port.