service sshd status
Redirecting to /bin/systemctl status sshd.service
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: failed (Result: exit-code) since Thu 2013-04-25 16:01:52 EEST; 1min 25s ago
Process: 1950 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
Process: 1944 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
systemd[1]: Starting OpenSSH server daemon...
systemd[1]: Started OpenSSH server daemon.
sshd[1950]: error: Bind to port 248 on 0.0.0.0 failed: Permission denied.
sshd[1950]: error: Bind to port 248 on :: failed: Permission denied.
systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
systemd[1]: Unit sshd.service entered failed state
everything is ok with :
semanage port -a -t ssh_port_t -p tcp 248
SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket .
***** Plugin bind_ports (99.5 confidence) suggests *************************
If you want to allow /usr/sbin/sshd to bind to network port 248
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 248
where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t.
***** Plugin catchall (1.49 confidence) suggests ***************************
If you believe that sshd should be allowed name_bind access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:reserved_port_t:s0
Target Objects [ tcp_socket ]
Source sshd
Source Path /usr/sbin/sshd
Port 248
Host 82-79-141-236.static.resita.rdsnet.ro
Source RPM Packages openssh-server-6.1p1-6.fc18.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Platform Linux 3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17
UTC 2013 x86_64 x86_64
Alert Count 1
First Seen 2013-04-25 16:01:52 EEST
Last Seen 2013-04-25 16:01:52 EEST
Local ID fffbad56-ad32-4ff4-b98d-3de411d41505
Raw Audit Messages
type=AVC msg=audit(1366894912.989:94): avc: denied { name_bind } for pid=1950 comm="sshd" src=248 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1366894912.989:94): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7ff6baf563b0 a2=1c a3=7fffe9432d74 items=0 ppid=1 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Hash: sshd,sshd_t,reserved_port_t,tcp_socket,name_bind
audit2allow
#============= sshd_t ==============
allow sshd_t reserved_port_t:tcp_socket name_bind;
audit2allow -R
require {
type sshd_t;
}
#============= sshd_t ==============
corenet_tcp_bind_reserved_port(sshd_t)
No comments:
Post a Comment