Selinux: SSH broken after F-13 --> F-14 upgrade
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 12 18:02:21 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
> Hi all,
>
> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
> 1)SELinux blocks all nondefault ports for ssh
>
> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>
You need to tell SELinux which port to use for sshd.
semanage port -a -t sshd_port_t -p tcp 6520
> Question: Is it worth blocking all ports for ssh?
>
> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> Question: This should be reported afaik, so it's a bug, right?
>
No. Hacker gets some control over ssh and is able to make it bind to
port 80, now he can read apache content.
> 3)After checking /var/log/boot.log there is "Starting ssh ... [ OK ]".
> I get the same success info after "service sshd start", but immediate service sshd status returns "openssh-daemon is stopped", but I'm not sure if this is fixable because all that daemonize and other stuff.
>
> Question: What does other network daemons (httpd,...) do? Do they start successfully (from initscript's POV) when they can't use configured port?
>
> I'm really glad I've found this out before updating my headless F-12 server.
>
> 2 of 3 questions are about SELinux, ccing Dan.
>
> Michal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky0oq0ACgkQrlYvE4MpobNA9gCeLbGUI6Vtb3ARVBwnyng0Airc
eJMAoLr3j4urCc+WMJPZ3UqVy5J6Nxvc
=F1ky
-----END PGP SIGNATURE-----
More information about the devel
mailing list