SElinux won't block SSHD from binding to not allowed ports

[pat87]

Hello,

This is my first post on that forum, so hi everyone.

The problem I encounter is that I want SElinux to be enabled and enforcing policies. When I experimented with that on RHEL all worked fine, but it seems not to be on CentOS. Maybe there is something I completely forgot about? What I want to achieve is that SSHD won't be able to bind to ports other than specified in SElinux policy.

Some data:

Code: Select all

Centos 6.6(Final)

sestatus:

Code: Select all

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

semanage port:

Code: Select all

ssh_port_t                     tcp      22

SSHD relevant config excerpt:

Code: Select all

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 10.10.10.10
ListenAddress 192.168.11.48:22

SS output:

Code: Select all

State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port
LISTEN     0      128             10.10.10.10:2222                     *:*      users:(("sshd",1209,4))
LISTEN     0      128           192.168.11.48:22                       *:*      users:(("sshd",1209,3))

I would really appreciate for any clues
Thanks,

[lightman47]

Don't you want to rather be working with firewall or iptables? My understanding is that SElinux is about FILE accesses by programs that are running.

[drk]

It used to work on CentOS but I just tried on a fairly fresh 6.6 install and sshd happily listened on port 2222 without telling selinux to allow that . Seems broken.

[lightman47]

Reword: SElinux doesn't "listen"; it prevents a running program from accessing files on the system that the program has no business accessing. To have ssh listen on another port, you'll want to edit the ssh settings file to change the port, then allow (inside firewall) the port to 'get in'. And, to respond to your original subject - you'd then block (disallow) port 22 in firewall.

Firewall is the guard at the gate who decides who gets in. Selinux is the internal security to make sure those inside behave and don't get into things they shouldn't.

[drk]

Reword: SElinux doesn't "listen"; it prevents a running program from accessing files on the system that the program has no business accessing.

Files and ports. SElinux doesn't listen, no, but it will prevent a program such as sshd from binding to a port if it doesn't have permission.

Code: Select all

# semanage port -l | grep ssh
ssh_port_t                     tcp      22

The only port on the above system that sshd should be able to listen on is 22.

[lightman47]

Now I am confused (which is incredibly easy to do). Sorry.

You're changing the file context permissions to which SSH has access from a given port, it appears to me, but I could be mistaken.

[pat87]

Hi,

What I want to achieve is practical recruitment test:

I will ask someone to fix ssh and make it listen on not default port. What I've learnt from RHCSA/RHCE is that processes to be allowed to listen/bind on non standard ports, not defined by selinux policy, has to be allowed explicitly. And that test will show me if person can look for answers and realizes that there is also SElinux. But all in all, it seems that SElinux in Centos is not working at all, at least on my installation...

[anko]

Hello pat87,

Maybe the targeted policy blocks only ports lower then 1024. what hapens if you try to start sshd with disallowed 222?
Check first # netstat -anp | grep :222 and semanage port -l | grep 222
Regards.