Bug 986127 - selinux is blocking sshd from running on a different port
Summary: selinux is blocking sshd from running on a different port
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-19 03:01 UTC by Brendan Hoffmann
Modified: 2013-07-19 10:41 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-07-19 10:41:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Brendan Hoffmann 2013-07-19 03:01:10 UTC
Description of problem:

The fedora 19 guest currently has selinux disabled.  When I add another port directive to the sshd config and restart the service I dont see the new added port listed when I check for it in lsof.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER


Version-Release number of selected component (if applicable):

openssh-server-6.2p2-3.fc19.i686
selinux-policy-3.12.1-63.fc19.noarch

How reproducible:

Very

Steps to Reproduce:
1. Make sure selinux is disabled
2. Add a "Port" directive to sshd_config
3. Restart SSH

Actual results:

You will not see the new port bound by SSH in netstat or lsof.  ('lsof -Pni')  

Expected results:

The port should be bound and not deterred by selinux as it is disabled.

Additional info:

Running the semanage command as shown in the sshd_config will allow the port to be used and be connected to.

Comment 1 Petr Lautrbach 2013-07-19 07:23:42 UTC
If you have SELinux disabled then you don't need to run semanage. 

It works for me. Can you see something in /var/log/secure? Could you please paste an output of:

# sestatus

# /usr/sbin/sshd -T | grep port

Comment 2 Daniel Walsh 2013-07-19 10:41:59 UTC
If SELinux is disabled then this is not an SELinux bug.


Note You need to log in before you can comment on or make changes to this bug.