[fedora-arm] semanage errors when changing ssh port Re: Fedora-Minimal-armhfp-21-20140815-sda.raw.xz problems with sshd

Robert Moskowitz rgm at htt-consult.com
Mon Aug 18 16:35:17 UTC 2014 

OK.  I am running Minimal 'out of the box'.  I DID install 
tigervnc-server and policycoreutils-python and all dependencies.

# semanage port -a -t ssh_port_t -p tcp ___
[ 2043.787411] SELinux:  Permission audit_read in class capability2 not 
defined in policy.
[ 2043.795520] SELinux: the above unknown classes and permissions will 
be allowed
[ 2045.025332] SELinux:  Context 
unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2047.090145] SELinux:  Context 
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid 
(unmapped).
[ 2047.654731] SELinux:  Context 
system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2049.710431] SELinux:  Context 
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).

But it seems to have made the needed changes so I can SSH to my 
non-standard port.

This is a commonly done system change.  Move SSH to someother port just 
to cut down on the robot noise.  One time during this testing, I had 
port 22 open from the outside and before I could change the port number 
I had almost 600 attempted SSH logins.

On 08/16/2014 05:45 AM, Daniel J Walsh wrote:
> On 08/15/2014 03:34 PM, Robert Moskowitz wrote:
>> related, I move the sshd port, and update SELinux policy with:
>>
>> semanage port -a -t ssh_port_t -p tcp 1234
>>
>> and got the following messages:
>>
>> [ 1828.788735] SELinux:  Permission audit_read in class capability2
>> not defined in policy.
> This means you have a capability defined in policy "audit_read", which
> the kernel does not understand
>> [ 1828.796870] SELinux: the above unknown classes and permissions will
>> be allowed
>> [ 1829.450779] SELinux:  Context
>> system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1831.528160] SELinux:  Context
>> system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1832.890157] SELinux:  Context
>> unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1834.966398] SELinux:  Context
>> unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
>> (unmapped).
> These are types that have been removed from the default packages.  So
> they were defined in the previous policy that you had in the kernel, but
> the new policy you loaded no longer has sandbox_t and vbetool_t. These
> should not be a problem
> unless you had an application running as sanbox_t or vbetool_t, most
> likely not.
>> But it seems to have worked.  That is SSH can be reached at the
>> changed port.  And yes, I also did the firewall-cmd for the new port
>> number.
>>
>>

More information about the arm mailing list