Alternate OpenSSH ports
Stephen Smalley
sds at tycho.nsa.gov
Wed Oct 1 12:52:26 UTC 2008
On Mon, 2008-09-29 at 21:17 -0500, Arthur Pemberton wrote:
> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> >
> > On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> >> I'm getting an denial when I attempt o use port 23 as an additional
> >> port for sshd. That makes sense. What's the best way to define
> >> alternate SSHd ports?
> >
> > semanage port -m -t ssh_port_t -p tcp 23
>
>
>
> When trying this, I get:
> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>
> Even after doing that, I get this on `service sshd restart`:
> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
A workaround until semanage is fixed to correctly support the above
would be to add a local policy module that allows sshd to bind to the
telnetd port, e.g.
$ cat myssh.te
policy_module(myssh, 1.0)
require {
type sshd_t;
type telnetd_port_t;
}
allow sshd_t telnetd_port_t:tcp_socket name_bind;
$ make -f /usr/share/selinux/devel/Makefile myssh.pp
$ semodule -i myssh.pp
audit2allow should have yielded a similar result.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list