Re: Alternate OpenSSH ports

[Daniel J Walsh <dwalsh redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Arthur Pemberton wrote:
>>>> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds tycho nsa gov> wrote:
>>>>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>>>>> I'm getting an denial when I attempt o use port 23 as an additional
>>>>>> port for sshd. That makes sense. What's the best way to define
>>>>>> alternate SSHd ports?
>>>>> semanage port -m -t ssh_port_t -p tcp 23
>>>>
>>>> When trying this, I get:
>>>> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>>>>
>>>> Even after doing that, I get this on `service sshd restart`:
>>>> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>>>>
>>>>
>>> Please send the output from that command, that number is only local to
>>> your machine.
>> Wondering if libsemanage does the right thing when the port already
>> exists in the base policy, as in this case.  It should override the base
>> policy definition with the local one, but I'm not 100% sure it does.
>>
> 
> There does appear to be a bug, after running:
> semanage port -m -t ssh_port_t -p tcp 8021
> 
> I get:
> 
> [root misterfreeze ~]# seinfo --portcon=8021
>         portcon tcp 8021 system_u:object_r:ssh_port_t:s0
>         portcon tcp 8021 system_u:object_r:zope_port_t:s0
> 
> 
> I'm not sure when I'll be able to get to this, can you take a look first Dan?
Well do you think this is a bug in semanage or sepol?  I though you used
to get a denial when you tried to do this saying you could not modify a
named port.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjjbvMACgkQrlYvE4MpobMEngCfcSWudrlmHqTEpOnnkzWAO154
0BsAn18NWq7l5MckmQH06fPYr+5LvLvV
=v6JT
-----END PGP SIGNATURE-----