Jorge Fábregas
2009-Oct-25 18:08 UTC
[CentOS] Running SSH on a different port (with SELinux)
Hello everyone, Now after the recent discussion on running SSH on a different port, I decided to start a new thread but with SELinux involved. Assuming that you have SELinux enabled, and that you changed the default port for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials. This is the output of: semanage -l port | grep ssh ssh_port_t tcp 22 I thought (based on previous SELinux readings) that in order to allow SSHD on a non-default port you needed to: semanage port -a -t ssh_port_t -p tcp 1234 That was the theory I read :) Now in practice it seems it is not implemented yet, or at least by the time RHEL5 came out. Does anyone knows? All the best, Jorge
Jorge F?bregas wrote:> Hello everyone, > > Now after the recent discussion on running SSH on a different port, I decided > to start a new thread but with SELinux involved. > > Assuming that you have SELinux enabled, and that you changed the default port > for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials. > > This is the output of: semanage -l port | grep ssh > ssh_port_t tcp 22 > > I thought (based on previous SELinux readings) that in order to allow SSHD on > a non-default port you needed to: > > semanage port -a -t ssh_port_t -p tcp 1234 > > That was the theory I read :) Now in practice it seems it is not implemented > yet, or at least by the time RHEL5 came out. Does anyone knows? >The SSH daemon runs as an unconfined service in SELinux (at least on RHEL4 and 5), so SELinux has no effect on SSH. Same as a bash shell runs unconfined.