SELinux won't let me run sshd under port 443

Question

I'm running Redhat 7.7. I am trying to let the ssh-service accept connections on both Port 22 and Port 443. I have allready opened the firewalld with

sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload

And set

Port 22
Port 443

in /etc/ssh/sshd_config and reloaded with

sudo systemctl reload sshd

But sudo journalctl -u sshd still says it can't bind to 443. What do I need to do now?

score 4 · Answer 1 · answered Sep 03 '19 at 20:41

You don't need to generate a local policy, you can modify the SELinux port type of port 443 to something suitable using semanage(8).

semange port -l | grep ssh
ssh_port_t                     tcp      22

So we need to change the port type to ssh_port_t

semanage port -m -t ssh_port_t -p tcp 443

and to verify

semange port -l | grep ssh
ssh_port_t                     tcp      443, 22

MadMike · Answer 2 · 2019-09-03T19:01:13.140

I'm a selinux newbie. But here goes. I've followed this guide SELinux - 5.6. Gathering Audit Logs In Permissive Mode

Switch to root as you will need root right for all the following commands

sudo su

First, you need to find which semodule blocks your port with:

ausearch -m avc

This will show you some recent errors. You need to look with which scontext the error happens. For me it was sshd_t

time-> <timestamp>
type=PROCTITLE msg=audit(1567419463.747:16052): proctitle=2F7573722F7362696E2F73736864002D44
type=SYSCALL msg=audit(1567419463.747:16052): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55f0f8e1cce0 a2=10 a3=7ffee40f91a8 items=0 ppid=1 pid=1339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1567419463.747:16052): avc:  denied  { name_bind } for  pid=1339 comm="sshd" src=443 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

Set the module found in the scontext temporarly on permissive. Reload the sshd service and see if it works now.

semanage permissive -a sshd_t
systemctl reload sshd
journalctl -u sshd

If this works we can now create our own local semodule. In this example I call it sshdlocal.

Follwing command shows how the new rule will be looking like:

grep sshd_t /var/log/audit/audit.log | audit2allow -m sshdlocal

In my case:

module sshdlocal 1.0;

require {
        type http_port_t;
        type sshd_t;
        class tcp_socket name_bind;
}

#============= sshd_t ==============

#!!!! This avc is allowed in the current policy
allow sshd_t http_port_t:tcp_socket name_bind;

To actually generate and install the semodule. Do this:

grep sshd_t /var/log/audit/audit.log | audit2allow -M sshdlocal
semodule -i sshdlocal.pp

You can list all semodules like this:

semodule -l

Now remove the permissive sshd_t, reload the sshd_config and check with journalctl to see if the setup is still working.

semanage permissive -d sshd_t
systemctl reload sshd
journalctl -u sshd

score 0 · Answer 3 · answered Mar 26 '23 at 14:44

0

Just run

semanage port -a -t ssh_port_t -p tcp 443

answered Mar 26 '23 at 14:44

Tamer Fahmy

1
1

SELinux won't let me run sshd under port 443

3 Answers3