This tutorial will show us the importance of selinux troubleshooting knowledge. As you know generally in a real environment selinux is disabled by default but I thought you might like to know where is the role of selinux type context.

I have 2 servers;

Hostname                                          IP                                           default ssh port              

Autofs_client,  Centos7                  192.168.38.153                                 22

Oldest, Rhel5                                    192.168.38.155                                 22

For some security reasons you might want to change default ssh port because ssh port number 22 is known by everybody.

In Centos7 (hostname: autofs_client) we will change it to 77.

To manage selinux attributes we use semanage command. Following command will show us default port for ssh service.

[root@autofs_client ~]# semanage port -l | grep ssh

ssh_port_t                     tcp      22

[root@autofs_client ~]#

As you see default port for ssh service is set to 22.

And right now is listening on port 22.

Edit your ssh config file vi /etc/ssh/sshd_config then add port 77 under commented port 22 line as following,

Restart ssh service.

No you can not do that! As written above let’s check sshd service status and “journalctl-xe” for details.

Woooow! I do understand nothing! Should we check maybe selinux alerts ?

[root@autofs_client ~]# sealert -a /var/log/audit/audit.log | grep ssh

SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 77.

If you want to allow /usr/sbin/sshd to bind to network port 77

where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.

If you believe that sshd should be allowed name_bind access on the port 77 tcp_socket by default.

Error message is shown in the line which begins with

type=AVC msg=audit(1517666619.983:425): avc:  denied

There are some informations. Basically it tells you Selinux is preventing start the service ssh other than default port 22. If you want to allow an other port being used by ssh, you should let it know to selinux.

[root@autofs_client ~]# semanage port -l | grep -i ssh

ssh_port_t                     tcp      22

You see there is no port 77 under ssh_port_t context type. To add,

Where –a means add, -t is the context type, -p is protocol type and 77 is our new port number.

Now you can restart the ssh service.

Check if you are listenning on new port wich is 77 in our case. I am using tcp connection not udp you can check it with netstat –anup | grep –i ssh command.

From “oldest “ server or an other one, while try to establish an ssh connection port 22 shows “connection refused” message. It’is normal because we changed to port number. Whereas  port 77 shows “No route to host”.

[root@oldest ~]# ssh 192.168.38.153

ssh: connect to host 192.168.38.153 port 22: Connection refused

[root@oldest ~]# ssh 192.168.38.153 -p 77

ssh: connect to host 192.168.38.153 port 77: No route to host

It’s of course not related with you routing table but your firewall setting on the source server.

We are using firewall in public zone. We need to add port 77 to this zone.

Then restart the firewall service and check if port 77 is there.

Everything seems to be okay till now. We can try connect our server.

Yes it’s working!