Selinux: SSH broken after F-13 --> F-14 upgrade
Michal Hlavinka
mhlavink at redhat.com
Tue Oct 12 17:49:41 UTC 2010
Hi all,
I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
1)SELinux blocks all nondefault ports for ssh
I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
Question: Is it worth blocking all ports for ssh?
2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Question: This should be reported afaik, so it's a bug, right?
3)After checking /var/log/boot.log there is "Starting ssh ... [ OK ]".
I get the same success info after "service sshd start", but immediate service sshd status returns "openssh-daemon is stopped", but I'm not sure if this is fixable because all that daemonize and other stuff.
Question: What does other network daemons (httpd,...) do? Do they start successfully (from initscript's POV) when they can't use configured port?
I'm really glad I've found this out before updating my headless F-12 server.
2 of 3 questions are about SELinux, ccing Dan.
Michal
More information about the devel
mailing list