[CentOS] Running SSH on a different port (with SELinux)

Ned Slider ned at unixmail.co.uk
Sun Oct 25 20:06:58 UTC 2009


Jorge Fábregas wrote:
> Hello everyone,
> 
> Now after the recent discussion on running SSH on a different port,  I decided 
> to start a new thread but with SELinux involved.
> 
> Assuming that you have SELinux enabled, and that you changed the default port 
> for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials.
> 
> This is the output of:  semanage -l port | grep ssh  
> ssh_port_t                     tcp      22
> 
> I thought (based on previous SELinux readings) that in order to allow SSHD on 
> a non-default port you needed to:
> 
> semanage port -a -t ssh_port_t -p tcp 1234
> 
> That was the theory I read :) Now in practice it seems it is not implemented 
> yet, or at least by the time RHEL5 came out. Does anyone knows?
> 

The SSH daemon runs as an unconfined service in SELinux (at least on 
RHEL4 and 5), so SELinux has no effect on SSH. Same as a bash shell runs 
unconfined.






More information about the CentOS mailing list