Selinux: SSH broken after F-13 --> F-14 upgrade
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 13 14:14:15 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2010 05:51 PM, yersinia wrote:
> On Tue, Oct 12, 2010 at 8:02 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>>> Hi all,
>>>
>>> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
>>> 1)SELinux blocks all nondefault ports for ssh
>>>
>>> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>>>
>> You need to tell SELinux which port to use for sshd.
>>
>> semanage port -a -t sshd_port_t -p tcp 6520
>>
>>> Question: Is it worth blocking all ports for ssh?
>>>
>>> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
>>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>>
>>> Question: This should be reported afaik, so it's a bug, right?
>>>
>> No. Hacker gets some control over ssh and is able to make it bind to
>> port 80, now he can read apache content.
> Hmmm, it is enough that sshd bind to port 80 to access the files of
> apache? it seems strange. am i missing something in the TE rule?
No but it could interecept traffic intended for the apache server on the
machine. The problem here is the ability to impersonate other apps.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky1vrcACgkQrlYvE4MpobN1tACgsEoiIXJjBxIYAGb+bIdIE9C9
QT0An3wn9ulywqjGJmQdFyyk5uUeP0tb
=+8Gv
-----END PGP SIGNATURE-----
More information about the devel
mailing list