Alternate OpenSSH ports

> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@...> wrote:
>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>> I'm getting an denial when I attempt o use port 23 as an additional
>>> port for sshd. That makes sense. What's the best way to define
>>> alternate SSHd ports?
>> semanage port -m -t ssh_port_t -p tcp 23
>
>
>
> When trying this, I get:
> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>
> Even after doing that, I get this on `service sshd restart`:
> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Arthur Pemberton wrote:
> > On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@...> wrote:
> >> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> >>> I'm getting an denial when I attempt o use port 23 as an additional
> >>> port for sshd. That makes sense. What's the best way to define
> >>> alternate SSHd ports?
> >> semanage port -m -t ssh_port_t -p tcp 23
> >
> >
> >
> > When trying this, I get:
> > sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
> >
> > Even after doing that, I get this on `service sshd restart`:
> > sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
> >
> >
> Please send the output from that command, that number is only local to
> your machine.

> Stephen Smalley wrote:
>> On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Arthur Pemberton wrote:
>>>> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@...> wrote:
>>>>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
>>>>>> I'm getting an denial when I attempt o use port 23 as an additional
>>>>>> port for sshd. That makes sense. What's the best way to define
>>>>>> alternate SSHd ports?
>>>>> semanage port -m -t ssh_port_t -p tcp 23
>>>>
>>>> When trying this, I get:
>>>> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>>>>
>>>> Even after doing that, I get this on `service sshd restart`:
>>>> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986
>>>>
>>>>
>>> Please send the output from that command, that number is only local to
>>> your machine.
>> Wondering if libsemanage does the right thing when the port already
>> exists in the base policy, as in this case.  It should override the base
>> policy definition with the local one, but I'm not 100% sure it does.
>>
>
> There does appear to be a bug, after running:
> semanage port -m -t ssh_port_t -p tcp 8021
>
> I get:
>
> [root@misterfreeze ~]# seinfo --portcon=8021
>         portcon tcp 8021 system_u:object_r:ssh_port_t:s0
>         portcon tcp 8021 system_u:object_r:zope_port_t:s0
>
>
> I'm not sure when I'll be able to get to this, can you take a look first Dan?

> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley <sds@...> wrote:
> >
> > On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote:
> >> I'm getting an denial when I attempt o use port 23 as an additional
> >> port for sshd. That makes sense. What's the best way to define
> >> alternate SSHd ports?
> >
> > semanage port -m -t ssh_port_t -p tcp 23
>
>
>
> When trying this, I get:
> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb
>
> Even after doing that, I get this on `service sshd restart`:
> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986