[fedora-arm] semanage errors when changing ssh port Re: Fedora-Minimal-armhfp-21-20140815-sda.raw.xz problems with sshd
Robert Moskowitz
rgm at htt-consult.com
Mon Aug 18 16:35:17 UTC 2014
OK. I am running Minimal 'out of the box'. I DID install
tigervnc-server and policycoreutils-python and all dependencies.
# semanage port -a -t ssh_port_t -p tcp ___
[ 2043.787411] SELinux: Permission audit_read in class capability2 not
defined in policy.
[ 2043.795520] SELinux: the above unknown classes and permissions will
be allowed
[ 2045.025332] SELinux: Context
unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2047.090145] SELinux: Context
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
(unmapped).
[ 2047.654731] SELinux: Context
system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2049.710431] SELinux: Context
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
But it seems to have made the needed changes so I can SSH to my
non-standard port.
This is a commonly done system change. Move SSH to someother port just
to cut down on the robot noise. One time during this testing, I had
port 22 open from the outside and before I could change the port number
I had almost 600 attempted SSH logins.
On 08/16/2014 05:45 AM, Daniel J Walsh wrote:
> On 08/15/2014 03:34 PM, Robert Moskowitz wrote:
>> related, I move the sshd port, and update SELinux policy with:
>>
>> semanage port -a -t ssh_port_t -p tcp 1234
>>
>> and got the following messages:
>>
>> [ 1828.788735] SELinux: Permission audit_read in class capability2
>> not defined in policy.
> This means you have a capability defined in policy "audit_read", which
> the kernel does not understand
>> [ 1828.796870] SELinux: the above unknown classes and permissions will
>> be allowed
>> [ 1829.450779] SELinux: Context
>> system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1831.528160] SELinux: Context
>> system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1832.890157] SELinux: Context
>> unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1834.966398] SELinux: Context
>> unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
>> (unmapped).
> These are types that have been removed from the default packages. So
> they were defined in the previous policy that you had in the kernel, but
> the new policy you loaded no longer has sandbox_t and vbetool_t. These
> should not be a problem
> unless you had an application running as sanbox_t or vbetool_t, most
> likely not.
>> But it seems to have worked. That is SSH can be reached at the
>> changed port. And yes, I also did the firewall-cmd for the new port
>> number.
>>
>>
More information about the arm
mailing list