Re: Selinux: SSH broken after F-13 --> F-14 upgrade

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 12, 2010 at 8:02 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>> Hi all,
>>
>> I've recently upgraded my system, but after that I was not able to connect through ssh. More things are wrong (from my POV):
>> 1)SELinux blocks all nondefault ports for ssh
>>
>> I have ssh confugured to use different port than 22 for security reasons and I think there is a lot of people doing that.
>>
> You need to tell SELinux which port to use for sshd.
>
> semanage port -a -t sshd_port_t -p tcp 6520
>
>> Question: Is it worth blocking all ports for ssh?
>>
>> 2)SELinux did not show any sealert warning about this. Running sealert -b shows no problem. There is one message in /var/log/messages:
>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc:  denied  { name_bind } for  pid=6830 comm="sshd" src=6520 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>
>> Question: This should be reported afaik, so it's a bug, right?
>>
> No.  Hacker gets some control over ssh and is able to make it bind to
> port 80, now he can read apache content.
Hmmm, it is  enough that sshd bind to port 80 to access the files of
apache? it seems strange. am i missing something in the TE rule?
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux