Bug 986127 - selinux is blocking sshd from running on a different port
selinux is blocking sshd from running on a different port
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-18 23:01 EDT by Brendan Hoffmann
Modified: 2013-07-19 06:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-19 06:41:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brendan Hoffmann 2013-07-18 23:01:10 EDT
Description of problem:

The fedora 19 guest currently has selinux disabled.  When I add another port directive to the sshd config and restart the service I dont see the new added port listed when I check for it in lsof.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER


Version-Release number of selected component (if applicable):

openssh-server-6.2p2-3.fc19.i686
selinux-policy-3.12.1-63.fc19.noarch

How reproducible:

Very

Steps to Reproduce:
1. Make sure selinux is disabled
2. Add a "Port" directive to sshd_config
3. Restart SSH

Actual results:

You will not see the new port bound by SSH in netstat or lsof.  ('lsof -Pni')  

Expected results:

The port should be bound and not deterred by selinux as it is disabled.

Additional info:

Running the semanage command as shown in the sshd_config will allow the port to be used and be connected to.
Comment 1 Petr Lautrbach 2013-07-19 03:23:42 EDT
If you have SELinux disabled then you don't need to run semanage. 

It works for me. Can you see something in /var/log/secure? Could you please paste an output of:

# sestatus

# /usr/sbin/sshd -T | grep port
Comment 2 Daniel Walsh 2013-07-19 06:41:59 EDT
If SELinux is disabled then this is not an SELinux bug.

Note You need to log in before you can comment on or make changes to this bug.