OK. I am running Minimal 'out of the box'. I DID install
tigervnc-server and policycoreutils-python and all dependencies.
# semanage port -a -t ssh_port_t -p tcp ___
[ 2043.787411] SELinux: Permission audit_read in class capability2 not
defined in policy.
[ 2043.795520] SELinux: the above unknown classes and permissions will
be allowed
[ 2045.025332] SELinux: Context
unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2047.090145] SELinux: Context
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
(unmapped).
[ 2047.654731] SELinux: Context
system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 2049.710431] SELinux: Context
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
But it seems to have made the needed changes so I can SSH to my
non-standard port.
This is a commonly done system change. Move SSH to someother port just
to cut down on the robot noise. One time during this testing, I had
port 22 open from the outside and before I could change the port number
I had almost 600 attempted SSH logins.
On 08/16/2014 05:45 AM, Daniel J Walsh wrote:
On 08/15/2014 03:34 PM, Robert Moskowitz wrote:
related, I move the sshd port, and update SELinux policy with:
semanage port -a -t ssh_port_t -p tcp 1234
and got the following messages:
[ 1828.788735] SELinux: Permission audit_read in class capability2
not defined in policy.
This means you have a capability defined in policy "audit_read", which
the kernel does not understand
[ 1828.796870] SELinux: the above unknown classes and permissions will
be allowed
[ 1829.450779] SELinux: Context
system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1831.528160] SELinux: Context
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1832.890157] SELinux: Context
unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1834.966398] SELinux: Context
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
(unmapped).
These are types that have been removed from the default packages. So
they were defined in the previous policy that you had in the kernel, but
the new policy you loaded no longer has sandbox_t and vbetool_t. These
should not be a problem
unless you had an application running as sanbox_t or vbetool_t, most
likely not.
But it seems to have worked. That is SSH can be reached at the
changed port. And yes, I also did the firewall-cmd for the new port
number.
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
