Selinux: SSH broken after F-13 --> F-14 upgrade

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 02:10 PM, Michal Hlavinka wrote:
> 
> ----- "Daniel J Walsh" <dwalsh at redhat.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>>> Hi all,
>>>
>>> I've recently upgraded my system, but after that I was not able to
>> connect through ssh. More things are wrong (from my POV):
>>> 1)SELinux blocks all nondefault ports for ssh
>>>
>>> I have ssh confugured to use different port than 22 for security
>> reasons and I think there is a lot of people doing that.
>>>
>> You need to tell SELinux which port to use for sshd.
>>
>> semanage port -a -t sshd_port_t -p tcp 6520
>>
>>> Question: Is it worth blocking all ports for ssh?
>>>
>>> 2)SELinux did not show any sealert warning about this. Running
>> sealert -b shows no problem. There is one message in
>> /var/log/messages:
>>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: 
>> denied  { name_bind } for  pid=6830 comm="sshd" src=6520
>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>>
>>> Question: This should be reported afaik, so it's a bug, right?
>>>
>> No.  Hacker gets some control over ssh and is able to make it bind to
>> port 80, now he can read apache content.
> 
> "this should be reported, so it's a bug?"  was related to sealert should show this denial in systray or at least in sealert -b window. Or this denial should be really more silent compared to others reported by sealert?

I have no idea why this would not have shown up in the system tray as a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky0rWAACgkQrlYvE4MpobNuTQCg2NWkHwnSRUOxiNs8o3k3391a
15IAn1R/nZRd1ndLUNRG6gh8O1LVV2jw
=r7/j
-----END PGP SIGNATURE-----