Selinux: SSH broken after F-13 --> F-14 upgrade

Daniel J Walsh dwalsh at redhat.com
Tue Oct 12 18:02:21 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
> Hi all,
> 
> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
> 1)SELinux blocks all nondefault ports for ssh
> 
> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
> 
You need to tell SELinux which port to use for sshd.

semanage port -a -t sshd_port_t -p tcp 6520

> Question: Is it worth blocking all ports for ssh?
> 
> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc:  denied  { name_bind } for  pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> 
> Question: This should be reported afaik, so it's a bug, right?
> 
No.  Hacker gets some control over ssh and is able to make it bind to
port 80, now he can read apache content.
> 3)After checking /var/log/boot.log there is "Starting ssh ... [ OK ]". 
> I get the same success info after "service sshd start", but immediate service sshd status returns "openssh-daemon is stopped", but I'm not sure if this is fixable because all that daemonize and other stuff.
> 
> Question: What does other network daemons (httpd,...) do? Do they start successfully (from initscript's POV) when they can't use configured port?
> 
> I'm really glad I've found this out before updating my headless F-12 server. 
> 
> 2 of 3 questions are about SELinux, ccing Dan.
> 
> Michal

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky0oq0ACgkQrlYvE4MpobNA9gCeLbGUI6Vtb3ARVBwnyng0Airc
eJMAoLr3j4urCc+WMJPZ3UqVy5J6Nxvc
=F1ky
-----END PGP SIGNATURE-----


More information about the devel mailing list