Bug 986127 - selinux is blocking sshd from running on a different port
selinux is blocking sshd from running on a different port
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-07-18 23:01 EDT by Brendan Hoffmann
Modified: 2013-07-19 06:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-19 06:41:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brendan Hoffmann 2013-07-18 23:01:10 EDT
Description of problem:

The fedora 19 guest currently has selinux disabled.  When I add another port directive to the sshd config and restart the service I dont see the new added port listed when I check for it in lsof.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Make sure selinux is disabled
2. Add a "Port" directive to sshd_config
3. Restart SSH

Actual results:

You will not see the new port bound by SSH in netstat or lsof.  ('lsof -Pni')  

Expected results:

The port should be bound and not deterred by selinux as it is disabled.

Additional info:

Running the semanage command as shown in the sshd_config will allow the port to be used and be connected to.
Comment 1 Petr Lautrbach 2013-07-19 03:23:42 EDT
If you have SELinux disabled then you don't need to run semanage. 

It works for me. Can you see something in /var/log/secure? Could you please paste an output of:

# sestatus

# /usr/sbin/sshd -T | grep port
Comment 2 Daniel Walsh 2013-07-19 06:41:59 EDT
If SELinux is disabled then this is not an SELinux bug.

Note You need to log in before you can comment on or make changes to this bug.