[root@rhce-ryanrudolf]# rm -rf / 2> /dev/null

things I break/fix for fun and learning

Apr 10, 2018 - 3 minute read - Comments

Playing with SELinux - Ports

I recently changed my sshd server config to use a different port other than the default port 22. Everything looks good but when I restarted the sshd service, it failed to start -

[root@node1 ~]# systemctl restart sshd

Job for sshd.service failed because the control process exited with error code. See “systemctl status sshd.service” and “journalctl -xe” for details.

Checking the sshd status gives the following -

[root@node1 ~]# systemctl status sshd

Apr 10 17:31:17 node1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a

Apr 10 17:31:17 node1 systemd[1]: Failed to start OpenSSH server daemon.

Apr 10 17:31:17 node1 systemd[1]: Unit sshd.service entered failed state.

Apr 10 17:31:17 node1 systemd[1]: sshd.service failed.

If I temporarily set SELinux to permissive. it works though -

[root@node1 ~]# setenforce 0

[root@node1 ~]# getenforce

Permissive

[root@node1 ~]# systemctl restart sshd

[root@node1 ~]#

We don’t want SELinux to be in permissive mode since it is a security risk, so we change it back to setenforce 1.

Now we know that SELinux is the reason why it does not work. We can confirm this by checking the logs -

[root@node1 ~]# journalctl -xe

Apr 10 17:37:10 node1 setroubleshoot[5782]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port

Apr 10 17:37:10 node1 python[5782]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 2222.

***** Plugin bind_ports (92.2 confidence) suggests ************************

If you want to allow /usr/sbin/sshd to bind to network port 2222

Then you need to modify the port type.

Do

semanage port -a -t PORT_TYPE -p tcp 2222

where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.

By checking the logs, looks like we can solve this problem by using semanage -

semenage port -a -t ssh_port_t -p tcp 2222

where -a is add, -t is the port type, and -p is the port number either tcp or udp

If we now list the semanage ports and filter for ssh, it will now show the port 2222 we just added -

[root@node1 ~]# semanage port -l | grep ssh

ssh_port_t tcp 2222, 22

And now finally when we restart the sshd service, there is no error -

[root@node1 ~]# systemctl restart sshd

[root@node1 ~]#

Sshd now runs on a different port other than port22!

To summarize -

  • temporarily set SELinux to permissive mode
  • restart the service and if it works, it means SELinux is the culprit
  • set SELinux back to enforcing mode
  • restart service and check log files
  • add the necessary port number using semanage
  • restart the service again and check if there are no errors

It is mandatory to learn SELinux as it is part of the RHCSA / RHCE exam. It also adds extra layer of security so it is good to know it by heart how to troubleshoot, look for errors and check log files on how to fix it.

Like this page? Share it!

Securing SSH Server NIC Bonding / Teaming in RHEL7

comments powered by Disqus