Hello everyone,
Now after the recent discussion on running SSH on a different port, I decided to start a new thread but with SELinux involved.
Assuming that you have SELinux enabled, and that you changed the default port for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials.
This is the output of: semanage -l port | grep ssh ssh_port_t tcp 22
I thought (based on previous SELinux readings) that in order to allow SSHD on a non-default port you needed to:
semanage port -a -t ssh_port_t -p tcp 1234
That was the theory I read :) Now in practice it seems it is not implemented yet, or at least by the time RHEL5 came out. Does anyone knows?
All the best, Jorge
Jorge Fábregas wrote:
Hello everyone,
Now after the recent discussion on running SSH on a different port, I decided to start a new thread but with SELinux involved.
Assuming that you have SELinux enabled, and that you changed the default port for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials.
This is the output of: semanage -l port | grep ssh ssh_port_t tcp 22
I thought (based on previous SELinux readings) that in order to allow SSHD on a non-default port you needed to:
semanage port -a -t ssh_port_t -p tcp 1234
That was the theory I read :) Now in practice it seems it is not implemented yet, or at least by the time RHEL5 came out. Does anyone knows?
The SSH daemon runs as an unconfined service in SELinux (at least on RHEL4 and 5), so SELinux has no effect on SSH. Same as a bash shell runs unconfined.
On Sunday 25 October 2009 03:06:58 pm Ned Slider wrote:
The SSH daemon runs as an unconfined service in SELinux (at least on RHEL4 and 5), so SELinux has no effect on SSH. Same as a bash shell runs unconfined.
Thanks Ned! That's it. I missed the following check:
# ps -eZ | grep sshd root:system_r:unconfined_t:SystemLow-SystemHigh 6161 ? 00:00:00 sshd
It cleary shows "unconfined_t" for sshd.
Thanks again!
All the best, Jorge
-
Jorge Fábregas -
Ned Slider