Selinux: SSH broken after F-13 --> F-14 upgrade
Michal Hlavinka
mhlavink at redhat.com
Tue Oct 12 18:10:46 UTC 2010
----- "Daniel J Walsh" <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
> > Hi all,
> >
> > I've recently upgraded my system, but after that I was not able to
> connect through ssh. More things are wrong (from my POV):
> > 1)SELinux blocks all nondefault ports for ssh
> >
> > I have ssh confugured to use different port than 22 for security
> reasons and I think there is a lot of people doing that.
> >
> You need to tell SELinux which port to use for sshd.
>
> semanage port -a -t sshd_port_t -p tcp 6520
>
> > Question: Is it worth blocking all ports for ssh?
> >
> > 2)SELinux did not show any sealert warning about this. Running
> sealert -b shows no problem. There is one message in
> /var/log/messages:
> > kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc:
> denied { name_bind } for pid=6830 comm="sshd" src=6520
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> >
> > Question: This should be reported afaik, so it's a bug, right?
> >
> No. Hacker gets some control over ssh and is able to make it bind to
> port 80, now he can read apache content.
"this should be reported, so it's a bug?" was related to sealert should show this denial in systray or at least in sealert -b window. Or this denial should be really more silent compared to others reported by sealert?
More information about the devel
mailing list