I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
Arthur Pemberton schrieb:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305...
Best Regards
Sebastian
On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
semanage port -m -t ssh_port_t -p tcp 23
On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
semanage port -m -t ssh_port_t -p tcp 23
When trying this, I get: sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
Even after doing that, I get this on `service sshd restart`: sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Arthur Pemberton wrote:
On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
semanage port -m -t ssh_port_t -p tcp 23
When trying this, I get: sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
Even after doing that, I get this on `service sshd restart`: sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
Please send the output from that command, that number is only local to your machine.
On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Arthur Pemberton wrote:
On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
semanage port -m -t ssh_port_t -p tcp 23
When trying this, I get: sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
Even after doing that, I get this on `service sshd restart`: sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
Please send the output from that command, that number is only local to your machine.
Wondering if libsemanage does the right thing when the port already exists in the base policy, as in this case. It should override the base policy definition with the local one, but I'm not 100% sure it does.
On Mon, 2008-09-29 at 21:17 -0500, Arthur Pemberton wrote:
On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
I'm getting an denial when I attempt o use port 23 as an additional port for sshd. That makes sense. What's the best way to define alternate SSHd ports?
semanage port -m -t ssh_port_t -p tcp 23
When trying this, I get: sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
Even after doing that, I get this on `service sshd restart`: sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
A workaround until semanage is fixed to correctly support the above would be to add a local policy module that allows sshd to bind to the telnetd port, e.g.
$ cat myssh.te policy_module(myssh, 1.0)
require { type sshd_t; type telnetd_port_t; }
allow sshd_t telnetd_port_t:tcp_socket name_bind;
$ make -f /usr/share/selinux/devel/Makefile myssh.pp $ semodule -i myssh.pp
audit2allow should have yielded a similar result.
selinux@lists.fedoraproject.org