FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-12-2010, 05:49 PM
Michal Hlavinka
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

Hi all,

I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
1)SELinux blocks all nondefault ports for ssh

I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.

Question: Is it worth blocking all ports for ssh?

2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_rort_t:s0 tclass=tcp_socket

Question: This should be reported afaik, so it's a bug, right?

3)After checking /var/log/boot.log there is "Starting ssh ... [ OK ]".
I get the same success info after "service sshd start", but immediate service sshd status returns "openssh-daemon is stopped", but I'm not sure if this is fixable because all that daemonize and other stuff.

Question: What does other network daemons (httpd,...) do? Do they start successfully (from initscript's POV) when they can't use configured port?

I'm really glad I've found this out before updating my headless F-12 server.

2 of 3 questions are about SELinux, ccing Dan.

Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-12-2010, 06:02 PM
Daniel J Walsh
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
> Hi all,
>
> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
> 1)SELinux blocks all nondefault ports for ssh
>
> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>
You need to tell SELinux which port to use for sshd.

semanage port -a -t sshd_port_t -p tcp 6520

> Question: Is it worth blocking all ports for ssh?
>
> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>
> Question: This should be reported afaik, so it's a bug, right?
>
No. Hacker gets some control over ssh and is able to make it bind to
port 80, now he can read apache content.
> 3)After checking /var/log/boot.log there is "Starting ssh ... [ OK ]".
> I get the same success info after "service sshd start", but immediate service sshd status returns "openssh-daemon is stopped", but I'm not sure if this is fixable because all that daemonize and other stuff.
>
> Question: What does other network daemons (httpd,...) do? Do they start successfully (from initscript's POV) when they can't use configured port?
>
> I'm really glad I've found this out before updating my headless F-12 server.
>
> 2 of 3 questions are about SELinux, ccing Dan.
>
> Michal

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky0oq0ACgkQrlYvE4MpobNA9gCeLbGUI6Vtb3 ARVBwnyng0Airc
eJMAoLr3j4urCc+WMJPZ3UqVy5J6Nxvc
=F1ky
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-12-2010, 06:10 PM
Michal Hlavinka
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

----- "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
> > Hi all,
> >
> > I've recently upgraded my system, but after that I was not able to
> connect through ssh. More things are wrong (from my POV):
> > 1)SELinux blocks all nondefault ports for ssh
> >
> > I have ssh confugured to use different port than 22 for security
> reasons and I think there is a lot of people doing that.
> >
> You need to tell SELinux which port to use for sshd.
>
> semanage port -a -t sshd_port_t -p tcp 6520
>
> > Question: Is it worth blocking all ports for ssh?
> >
> > 2)SELinux did not show any sealert warning about this. Running
> sealert -b shows no problem. There is one message in
> /var/log/messages:
> > kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc:
> denied { name_bind } for pid=6830 comm="sshd" src=6520
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
> >
> > Question: This should be reported afaik, so it's a bug, right?
> >
> No. Hacker gets some control over ssh and is able to make it bind to
> port 80, now he can read apache content.

"this should be reported, so it's a bug?" was related to sealert should show this denial in systray or at least in sealert -b window. Or this denial should be really more silent compared to others reported by sealert?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-12-2010, 06:48 PM
Daniel J Walsh
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 02:10 PM, Michal Hlavinka wrote:
>
> ----- "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>>> Hi all,
>>>
>>> I've recently upgraded my system, but after that I was not able to
>> connect through ssh. More things are wrong (from my POV):
>>> 1)SELinux blocks all nondefault ports for ssh
>>>
>>> I have ssh confugured to use different port than 22 for security
>> reasons and I think there is a lot of people doing that.
>>>
>> You need to tell SELinux which port to use for sshd.
>>
>> semanage port -a -t sshd_port_t -p tcp 6520
>>
>>> Question: Is it worth blocking all ports for ssh?
>>>
>>> 2)SELinux did not show any sealert warning about this. Running
>> sealert -b shows no problem. There is one message in
>> /var/log/messages:
>>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc:
>> denied { name_bind } for pid=6830 comm="sshd" src=6520
>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>>>
>>> Question: This should be reported afaik, so it's a bug, right?
>>>
>> No. Hacker gets some control over ssh and is able to make it bind to
>> port 80, now he can read apache content.
>
> "this should be reported, so it's a bug?" was related to sealert should show this denial in systray or at least in sealert -b window. Or this denial should be really more silent compared to others reported by sealert?

I have no idea why this would not have shown up in the system tray as a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky0rWAACgkQrlYvE4MpobNuTQCg2NWkHwnSRU OxiNs8o3k3391a
15IAn1R/nZRd1ndLUNRG6gh8O1LVV2jw
=r7/j
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-12-2010, 06:52 PM
Michael Schwendt
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

On Tue, 12 Oct 2010 13:49:41 -0400 (EDT), Michal wrote:

> Hi all,
>
> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
> 1)SELinux blocks all nondefault ports for ssh
>
> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>
> Question: Is it worth blocking all ports for ssh?
>
> 2)SELinux did not show any sealert warning about this.

Here it did. For port 8080. And it suggested running
"setsebool -P sshd_forward_ports 1" as a work-around.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-12-2010, 09:51 PM
yersinia
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

On Tue, Oct 12, 2010 at 8:02 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>> Hi all,
>>
>> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
>> 1)SELinux blocks all nondefault ports for ssh
>>
>> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>>
> You need to tell SELinux which port to use for sshd.
>
> semanage port -a -t sshd_port_t -p tcp 6520
>
>> Question: Is it worth blocking all ports for ssh?
>>
>> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: *denied *{ name_bind } for *pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>>
>> Question: This should be reported afaik, so it's a bug, right?
>>
> No. *Hacker gets some control over ssh and is able to make it bind to
> port 80, now he can read apache content.
Hmmm, it is enough that sshd bind to port 80 to access the files of
apache? it seems strange. am i missing something in the TE rule?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-13-2010, 02:14 PM
Daniel J Walsh
 
Default Selinux: SSH broken after F-13 --> F-14 upgrade

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 05:51 PM, yersinia wrote:
> On Tue, Oct 12, 2010 at 8:02 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>>> Hi all,
>>>
>>> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
>>> 1)SELinux blocks all nondefault ports for ssh
>>>
>>> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>>>
>> You need to tell SELinux which port to use for sshd.
>>
>> semanage port -a -t sshd_port_t -p tcp 6520
>>
>>> Question: Is it worth blocking all ports for ssh?
>>>
>>> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
>>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied { name_bind } for pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>>>
>>> Question: This should be reported afaik, so it's a bug, right?
>>>
>> No. Hacker gets some control over ssh and is able to make it bind to
>> port 80, now he can read apache content.
> Hmmm, it is enough that sshd bind to port 80 to access the files of
> apache? it seems strange. am i missing something in the TE rule?
No but it could interecept traffic intended for the apache server on the
machine. The problem here is the ability to impersonate other apps.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky1vrcACgkQrlYvE4MpobN1tACgsEoiIXJjBx IYAGb+bIdIE9C9
QT0An3wn9ulywqjGJmQdFyyk5uUeP0tb
=+8Gv
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 07:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org