Thursday, April 25, 2013

Fedora 18 , sshd & SELiNUX

Trying to change the default port of sshd , selinux appeared :

service sshd status
Redirecting to /bin/systemctl status  sshd.service
sshd.service - OpenSSH server daemon
      Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
      Active: failed (Result: exit-code) since Thu 2013-04-25 16:01:52 EEST; 1min 25s ago
     Process: 1950 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
     Process: 1944 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)

 systemd[1]: Starting OpenSSH server daemon...
 systemd[1]: Started OpenSSH server daemon.
 sshd[1950]: error: Bind to port 248 on 0.0.0.0 failed: Permission denied.
 sshd[1950]: error: Bind to port 248 on :: failed: Permission denied.
 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
 systemd[1]: Unit sshd.service entered failed state

everything is ok with :

semanage port -a -t ssh_port_t -p tcp 248





SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket .

*****  Plugin bind_ports (99.5 confidence) suggests  *************************

If you want to allow /usr/sbin/sshd to bind to network port 248
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 248
    where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that sshd should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          248
Host                          82-79-141-236.static.resita.rdsnet.ro
Source RPM Packages           openssh-server-6.1p1-6.fc18.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Platform                      Linux   3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-04-25 16:01:52 EEST
Last Seen                     2013-04-25 16:01:52 EEST
Local ID                      fffbad56-ad32-4ff4-b98d-3de411d41505

Raw Audit Messages
type=AVC msg=audit(1366894912.989:94): avc:  denied  { name_bind } for  pid=1950 comm="sshd" src=248 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1366894912.989:94): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7ff6baf563b0 a2=1c a3=7fffe9432d74 items=0 ppid=1 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,reserved_port_t,tcp_socket,name_bind

audit2allow

#============= sshd_t ==============
allow sshd_t reserved_port_t:tcp_socket name_bind;

audit2allow -R
require {
    type sshd_t;
}

#============= sshd_t ==============
corenet_tcp_bind_reserved_port(sshd_t)

No comments:

Post a Comment