Sharing a network port between types

[Tim Verhoeven]

Hello,

I'm having a interresting SELinux problem that I can't figure out how to solve.

The context:

This is on a server running in our DMZ and it is providing file
transfer services to our client using different protocols. The machine
has a system IP and a service IP. The service IP is used to receive
all customer traffic (a external IP is NAT'ed to the service IP by the
firewall). The system IP is used by us to do all management.

We first setup FTPS access over the regular FTP ports, but as most of
you know FTP is not the most firewall friendly protocol because the
need of a seperate data channel and using encryption prevents
firewalls to open up the needed port automatically.

Se we also started to setup SFTP access to the same repository. We
initially tried to do this using the regular OpenSSH setup, but the
way OpenSSH does chroot'ing (we enable chroot in all setups) is not
compatible with the way we have setup our data repository. So we
switched to using ProFTPD for the SFTP service.

This of course means that we have bind OpenSSH to the internal system
IP on port 22 and ProFTPD to the service IP also on port 22.

The problem:

The problem is that I cannot get SELinux to allow the use of port 22
by these 2 daemons which run under different types (sshd_t & ftpd_t).

I can use the semanage command to allow one type to use port 22, but
not both at the same time. I use this command: semanage port -m -t
ssh_port_t -p tcp 22

Since this is a system accessible on the internet and because of the
protocols used I ofcourse do not want to disable SELinux here.

So how can I allow SELinux to let both openssh and proftpd use port 22
at the same time?

Thank you,
Tim


--
Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83

Hoping the problem  magically goes away  by ignoring it is the
"microsoft approach to programming" and should never be allowed.
(Linus Torvalds)