On Tue, Oct 12, 2010 at 8:02 PM, Daniel J Walsh <dwa...@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/12/2010 01:49 PM, Michal Hlavinka wrote:
>> Hi all,
>>
>> I've recently upgraded my system, but after that I was not able to connect
>> through ssh. More things are wrong (from my POV):
>> 1)SELinux blocks all nondefault ports for ssh
>>
>> I have ssh confugured to use different port than 22 for security reasons and
>> I think there is a lot of people doing that.
>>
> You need to tell SELinux which port to use for sshd.
>
> semanage port -a -t sshd_port_t -p tcp 6520
>
>> Question: Is it worth blocking all ports for ssh?
>>
>> 2)SELinux did not show any sealert warning about this. Running sealert -b
>> shows no problem. There is one message in /var/log/messages:
>> kernel: [90346.301108] type=1400 audit(1286901219.350:29): avc: denied {
>> name_bind } for pid=6830 comm="sshd" src=6520
>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>
>> Question: This should be reported afaik, so it's a bug, right?
>>
> No. Hacker gets some control over ssh and is able to make it bind to
> port 80, now he can read apache content.
Hmmm, it is enough that sshd bind to port 80 to access the files of
apache? it seems strange. am i missing something in the TE rule?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
