need howto for SELinux config--ssh on non-standard port
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 21 13:05:07 UTC 2010
On 01/20/2010 11:35 PM, John Poelstra wrote:
> Daniel J Walsh said the following on 01/20/2010 11:26 AM Pacific Time:
>> On 01/19/2010 05:28 PM, John Poelstra wrote:
>>> Daniel J Walsh said the following on 01/07/2010 05:23 AM Pacific Time:
>>>> On 01/06/2010 09:29 PM, John Poelstra wrote:
>>>>> I'm running sshd on a high (>1024) port number and cannot find a clear
>>>>> step by step guide for configuring this correctly on Fedora 12 on
>>>>> google.... I've come across lots of random bugs and forum questions, but
>>>>> nothing that starts at the beginning of the process through the end.
>>>>>
>>>>> I'm a total SELinux newbie and usually just disable itall together when
>>>>> things like this happen. I'm trying to change my ways :) Can anyone
>>>>> provide any URLs or the steps?
>>>>>
>>>>> If someone can provide the steps here I'll blog about it to get it
>>>>> documented so others do not have to suffer the same fate.
>>>>>
>>>>> Thanks,
>>>>> John
>>>>>
>>>>
>>>> http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html
>>>>
>>>> If the avc is for an undefined port "port_t" then you can do the command
>>>>
>>>> # semanage port -a -t ssh_port_t PORTNUM
>>>>
>>>> If you are listing to a defined port NAME_port_t, then you need to load a custom policy module
>>>>
>>>> # grep ssh /var/log/audit/audit.log | audit2allow -m myssh
>>>> # semodule -i myssh.pp
>>>
>>> Still having problems
>>>
>>> # grep ssh /var/log/audit/audit.log | audit2allow -m myssh
>>>
>>> module myssh 1.0;
>>>
>>> # cat mySshdPort.te
>>>
>>> module mySshdPort 1.0;
>>>
>>> # semodule -i myssh.pp
>>> semodule: Failed on myssh.pp!
>>>
>>> --------------------------------
>>>
>>> Considering all the data /var/log/audit/audit.log, how does
>>> 'audit2allow' know to select the right data from the mass being piped to to?
>>>
>>> Thanks,
>>> John
>>>
>>>
>>>
>>>
>>>
>>>
>> That is because it is not finding any AVC messages?
>
> Where else should I be looking?
>
> It is very clear that I can log in remotely on the non-standard port w/
> selinux disabled and that it will not work when selinux is enabled.
>
> John
ausearch -m avc -ts today
Should show you all of the AVC messages that you received today. If you are using auditing.
ausearch -m avc
Will show you all avc's that your system has logged
ausearch -m avc | audit2allow
Will give you the audit rules.
If you have been in permissive mode for a while, the log messages might have disappeared.
setenforce 1
setenforce 0
Will cause avc messages to show up again.
More information about the users
mailing list