Description of problem:
Brand new install of Fedora 17.  Actioning basic post-install security steps.

Step 1:  move ssh to another port.
* edit /etc/ssh/sshd_config and specify port=NNNNN
* systemctl restart sshd

This was hindered by SELinux.  Most end-users will eventually find and execute poor advice, setting SELinux to permissive or otherwise disabling it.  

It would be better if the ssh program expressed its reasonable need to be able to be moved to other ports.


Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/sshd from 'name_bind' accesses on the tcp_socket .
:
:Sshd should be allowed name_bind access on the  tcp_socket by default.  Changing the ssh port is far to common of a step, taken by security conscious end-users as a safety measure, for it to be made more difficult by SELinux restrictions.
:
:*****  Plugin bind_ports (99.5 confidence) suggests  *************************
:
:If you want to allow /usr/sbin/sshd to bind to network port NNNNN
:Then you need to modify the port type.
:Do
:# semanage port -a -t PORT_TYPE -p tcp NNNNN
:    where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t.
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If you believe that sshd should be allowed name_bind access on the  tcp_socket by default. Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:unreserved_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        sshd
:Source Path                   /usr/sbin/sshd
:Port                          NNNNN
:Host                          (removed)
:Source RPM Packages           openssh-server-5.9p1-28.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue
:                              Dec 11 18:07:34 UTC 2012 x86_64 x86_64
:Alert Count                   7
:First Seen                    2012-12-28 21:25:52 CST
:Last Seen                     2012-12-28 21:32:20 CST
:Local ID                      d6468a4d-7086-4f51-a448-8badd3057c68
:
:Raw Audit Messages
:type=AVC msg=audit(1356751940.299:250): avc:  denied  { name_bind } for  pid=2892 comm="sshd" src=NNNNN scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1356751940.299:250): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fda401a4740 a2=1c a3=7fff3ae04654 items=0 ppid=1 pid=2892 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sshd,sshd_t,unreserved_port_t,tcp_socket,name_bind
:
:audit2allow
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow sshd_t unreserved_port_t:tcp_socket name_bind;
:
:audit2allow -R
:
:#============= sshd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow sshd_t unreserved_port_t:tcp_socket name_bind;
:
:
:I'm insufficiently familiar with all of the options for how this can be accompished with SELinux.  The goal is to eliminate the need for ANY extra steps on the part of the end-user other than specifying Port=NNNNN in the /etc/ssh/sshd_config configuration file and restarting sshd.