FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-29-2008, 08:31 PM
"Arthur Pemberton"
 
Default Alternate OpenSSH ports

I'm getting an denial when I attempt o use port 23 as an additional
port for sshd. That makes sense. What's the best way to define
alternate SSHd ports?

--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-29-2008, 08:38 PM
Sebastian Hennebrueder
 
Default Alternate OpenSSH ports

Arthur Pemberton schrieb:

I'm getting an denial when I attempt o use port 23 as an additional
port for sshd. That makes sense. What's the best way to define
alternate SSHd ports?



http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388

Best Regards

Sebastian

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-29-2008, 08:40 PM
Stephen Smalley
 
Default Alternate OpenSSH ports

On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> I'm getting an denial when I attempt o use port 23 as an additional
> port for sshd. That makes sense. What's the best way to define
> alternate SSHd ports?

semanage port -m -t ssh_port_t -p tcp 23

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-29-2008, 09:49 PM
"Arthur Pemberton"
 
Default Alternate OpenSSH ports

Thanks guys.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-30-2008, 02:17 AM
"Arthur Pemberton"
 
Default Alternate OpenSSH ports

On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>> I'm getting an denial when I attempt o use port 23 as an additional
>> port for sshd. That makes sense. What's the best way to define
>> alternate SSHd ports?
>
> semanage port -m -t ssh_port_t -p tcp 23



When trying this, I get:
sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb

Even after doing that, I get this on `service sshd restart`:
sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986


--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-30-2008, 12:41 PM
Daniel J Walsh
 
Default Alternate OpenSSH ports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arthur Pemberton wrote:
> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>> I'm getting an denial when I attempt o use port 23 as an additional
>>> port for sshd. That makes sense. What's the best way to define
>>> alternate SSHd ports?
>> semanage port -m -t ssh_port_t -p tcp 23
>
>
>
> When trying this, I get:
> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>
> Even after doing that, I get this on `service sshd restart`:
> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>
>
Please send the output from that command, that number is only local to
your machine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjiHpIACgkQrlYvE4MpobPNWgCeMpVLQdhE00 L2SfmmUQobGxD8
f8sAoIDACqkdQi59mZ1XpOaGXQsvhbRn
=8oVl
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-30-2008, 01:18 PM
Stephen Smalley
 
Default Alternate OpenSSH ports

On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Arthur Pemberton wrote:
> > On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> >>> I'm getting an denial when I attempt o use port 23 as an additional
> >>> port for sshd. That makes sense. What's the best way to define
> >>> alternate SSHd ports?
> >> semanage port -m -t ssh_port_t -p tcp 23
> >
> >
> >
> > When trying this, I get:
> > sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
> >
> > Even after doing that, I get this on `service sshd restart`:
> > sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
> >
> >
> Please send the output from that command, that number is only local to
> your machine.

Wondering if libsemanage does the right thing when the port already
exists in the base policy, as in this case. It should override the base
policy definition with the local one, but I'm not 100% sure it does.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 10-01-2008, 12:37 PM
Daniel J Walsh
 
Default Alternate OpenSSH ports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Arthur Pemberton wrote:
>>>> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>>>>> I'm getting an denial when I attempt o use port 23 as an additional
>>>>>> port for sshd. That makes sense. What's the best way to define
>>>>>> alternate SSHd ports?
>>>>> semanage port -m -t ssh_port_t -p tcp 23
>>>>
>>>> When trying this, I get:
>>>> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>>>>
>>>> Even after doing that, I get this on `service sshd restart`:
>>>> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>>>>
>>>>
>>> Please send the output from that command, that number is only local to
>>> your machine.
>> Wondering if libsemanage does the right thing when the port already
>> exists in the base policy, as in this case. It should override the base
>> policy definition with the local one, but I'm not 100% sure it does.
>>
>
> There does appear to be a bug, after running:
> semanage port -m -t ssh_port_t -p tcp 8021
>
> I get:
>
> [root@misterfreeze ~]# seinfo --portcon=8021
> portcon tcp 8021 system_ubject_r:ssh_port_t:s0
> portcon tcp 8021 system_ubject_r:zope_port_t:s0
>
>
> I'm not sure when I'll be able to get to this, can you take a look first Dan?
Well do you think this is a bug in semanage or sepol? I though you used
to get a denial when you tried to do this saying you could not modify a
named port.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjjbvMACgkQrlYvE4MpobMEngCfcSWudrlmHq TEpOnnkzWAO154
0BsAn18NWq7l5MckmQH06fPYr+5LvLvV
=v6JT
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 10-01-2008, 12:52 PM
Stephen Smalley
 
Default Alternate OpenSSH ports

On Mon, 2008-09-29 at 21:17 -0500, Arthur Pemberton wrote:
> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> >> I'm getting an denial when I attempt o use port 23 as an additional
> >> port for sshd. That makes sense. What's the best way to define
> >> alternate SSHd ports?
> >
> > semanage port -m -t ssh_port_t -p tcp 23
>
>
>
> When trying this, I get:
> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>
> Even after doing that, I get this on `service sshd restart`:
> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986

A workaround until semanage is fixed to correctly support the above
would be to add a local policy module that allows sshd to bind to the
telnetd port, e.g.

$ cat myssh.te
policy_module(myssh, 1.0)

require {
type sshd_t;
type telnetd_port_t;
}

allow sshd_t telnetd_port_t:tcp_socket name_bind;

$ make -f /usr/share/selinux/devel/Makefile myssh.pp
$ semodule -i myssh.pp

audit2allow should have yielded a similar result.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org