On 01/20/2010 11:35 PM, John Poelstra wrote: > Daniel J Walsh said the following on 01/20/2010 11:26 AM Pacific Time: >> On 01/19/2010 05:28 PM, John Poelstra wrote: >>> Daniel J Walsh said the following on 01/07/2010 05:23 AM Pacific Time: >>>> On 01/06/2010 09:29 PM, John Poelstra wrote: >>>>> I'm running sshd on a high (>1024) port number and cannot find a clear >>>>> step by step guide for configuring this correctly on Fedora 12 on >>>>> google.... I've come across lots of random bugs and forum questions, but >>>>> nothing that starts at the beginning of the process through the end. >>>>> >>>>> I'm a total SELinux newbie and usually just disable itall together when >>>>> things like this happen. I'm trying to change my ways :) Can anyone >>>>> provide any URLs or the steps? >>>>> >>>>> If someone can provide the steps here I'll blog about it to get it >>>>> documented so others do not have to suffer the same fate. >>>>> >>>>> Thanks, >>>>> John >>>>> >>>> >>>> http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html >>>> >>>> If the avc is for an undefined port "port_t" then you can do the command >>>> >>>> # semanage port -a -t ssh_port_t PORTNUM >>>> >>>> If you are listing to a defined port NAME_port_t, then you need to load a custom policy module >>>> >>>> # grep ssh /var/log/audit/audit.log | audit2allow -m myssh >>>> # semodule -i myssh.pp >>> >>> Still having problems >>> >>> # grep ssh /var/log/audit/audit.log | audit2allow -m myssh >>> >>> module myssh 1.0; >>> >>> # cat mySshdPort.te >>> >>> module mySshdPort 1.0; >>> >>> # semodule -i myssh.pp >>> semodule: Failed on myssh.pp! >>> >>> -------------------------------- >>> >>> Considering all the data /var/log/audit/audit.log, how does >>> 'audit2allow' know to select the right data from the mass being piped to to? >>> >>> Thanks, >>> John >>> >>> >>> >>> >>> >>> >> That is because it is not finding any AVC messages? > > Where else should I be looking? > > It is very clear that I can log in remotely on the non-standard port w/ > selinux disabled and that it will not work when selinux is enabled. > > John ausearch -m avc -ts today Should show you all of the AVC messages that you received today. If you are using auditing. ausearch -m avc Will show you all avc's that your system has logged ausearch -m avc | audit2allow Will give you the audit rules. If you have been in permissive mode for a while, the log messages might have disappeared. setenforce 1 setenforce 0 Will cause avc messages to show up again. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
