This tutorial will show us the importance of selinux troubleshooting knowledge. As you know generally in a real environment selinux is disabled by default but I thought you might like to know where is the role of selinux type context.
I have 2 servers;
Hostname IP default ssh port
Autofs_client, Centos7 192.168.38.153 22
Oldest, Rhel5 192.168.38.155 22
For some security reasons you might want to change default ssh port because ssh port number 22 is known by everybody.
In Centos7 (hostname: autofs_client) we will change it to 77.
To manage selinux attributes we use semanage command. Following command will show us default port for ssh service.
[root@autofs_client ~]# semanage port -l | grep ssh
ssh_port_t tcp 22
[root@autofs_client ~]#
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
## Of course we are running in enforcing mode and firewall is enabled. [root@autofs_client ~]# getenforce Enforcing [root@autofs_client ~]# systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2018-02-03 12:44:59 CET; 2h 10min ago Docs: man:firewalld(1) Main PID: 786 (firewalld) CGroup: /system.slice/firewalld.service └─786 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Feb 03 12:44:54 autofs_client systemd[1]: Starting firewalld - dynamic firew.... Feb 03 12:44:59 autofs_client systemd[1]: Started firewalld - dynamic firewa.... Hint: Some lines were ellipsized, use -l to show in full. [root@autofs_client ~]# |
As you see default port for ssh service is set to 22.
1 2 3 |
[root@autofs_client ~]# cat /etc/services | grep ssh ssh 22/tcp # The Secure Shell (SSH) Protocol ssh 22/udp # The Secure Shell (SSH) Protocol |
And right now is listening on port 22.
1 2 3 |
[root@autofs_client ~]# netstat -antp | grep ssh tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5726/sshd tcp6 0 0 :::22 :::* LISTEN 5726/sshd |
Edit your ssh config file vi /etc/ssh/sshd_config then add port 77 under commented port 22 line as following,
Restart ssh service.
1 2 |
[root@autofs_client ~]# systemctl restart sshd Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details. |
No you can not do that! As written above let’s check sshd service status and “journalctl-xe” for details.
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@autofs_client ~]# systemctl status sshd.service ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Sat 2018-02-03 15:00:50 CET; 12s ago Docs: man:sshd(8) man:sshd_config(5) Process: 5869 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255) Main PID: 5869 (code=exited, status=255) Feb 03 15:00:50 autofs_client systemd[1]: Failed to start OpenSSH server daemon. Feb 03 15:00:50 autofs_client systemd[1]: Unit sshd.service entered failed s.... Feb 03 15:00:50 autofs_client systemd[1]: sshd.service failed. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
[root@autofs_client ~]# journalctl -xe -- Unit session-10.scope has begun starting up. Feb 03 15:01:01 autofs_client CROND[5897]: (root) CMD (run-parts /etc/cron.hourly) Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5904]: starting 0anacron Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5912]: finished 0anacron Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5915]: starting linux-logrotate.cron Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5927]: finished linux-logrotate.cron Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5929]: starting mcelog.cron Feb 03 15:01:01 autofs_client run-parts(/etc/cron.hourly)[5933]: finished mcelog.cron Feb 03 15:01:02 autofs_client systemd[1]: Removed slice user-0.slice. -- Subject: Unit user-0.slice has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit user-0.slice has finished shutting down. Feb 03 15:01:02 autofs_client systemd[1]: Stopping user-0.slice. -- Subject: Unit user-0.slice has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit user-0.slice has begun shutting down. Feb 03 15:01:02 autofs_client postfix/pickup[4204]: 0F61911AF016: uid=0 from=<root> Feb 03 15:01:02 autofs_client postfix/cleanup[5935]: 0F61911AF016: message-id=<20180203140102.0F61911AF016@autofs_client.locald Feb 03 15:01:02 autofs_client postfix/qmgr[2321]: 0F61911AF016: from=<root@autofs_client.localdomain>, size=1378, nrcpt=1 (queu Feb 03 15:01:02 autofs_client postfix/local[5947]: 0F61911AF016: to=<root@autofs_client.localdomain>, orig_to=<root>, relay=loc Feb 03 15:01:02 autofs_client postfix/qmgr[2321]: 0F61911AF016: removed lines 2351-2375/2375 (END) |
Woooow! I do understand nothing! Should we check maybe selinux alerts ?
[root@autofs_client ~]# sealert -a /var/log/audit/audit.log | grep ssh
SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 77.
If you want to allow /usr/sbin/sshd to bind to network port 77
where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.
If you believe that sshd should be allowed name_bind access on the port 77 tcp_socket by default.
1 2 3 4 5 6 7 8 9 |
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -i my-sshd.pp Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Source sshd Source Path /usr/sbin/sshd Source RPM Packages openssh-server-7.4p1-13.el7_4.x86_64 type=AVC msg=audit(1517666619.983:425): avc: denied { name_bind } for pid=6079 comm="sshd" src=77 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1517666619.983:425): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7f1eac703b30 a2=1c a3=7ffe275984a4 items=0 ppid=1 pid=6079 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash: sshd,sshd_t,reserved_port_t,tcp_socket,name_bind |
Error message is shown in the line which begins with
type=AVC msg=audit(1517666619.983:425): avc: denied
There are some informations. Basically it tells you Selinux is preventing start the service ssh other than default port 22. If you want to allow an other port being used by ssh, you should let it know to selinux.
[root@autofs_client ~]# semanage port -l | grep -i ssh
ssh_port_t tcp 22
You see there is no port 77 under ssh_port_t context type. To add,
1 2 3 |
[root@autofs_client ~]# semanage port -a -t ssh_port_t -p tcp 77 [root@autofs_client ~]# semanage port -l | grep -i ssh ssh_port_t tcp 77, 22 |
Where –a means add, -t is the context type, -p is protocol type and 77 is our new port number.
Now you can restart the ssh service.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@autofs_client ~]# systemctl restart sshd [root@autofs_client ~]# systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2018-02-03 15:14:29 CET; 6s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 6826 (sshd) CGroup: /system.slice/sshd.service └─6826 /usr/sbin/sshd -D Feb 03 15:14:29 autofs_client systemd[1]: Starting OpenSSH server daemon... Feb 03 15:14:29 autofs_client sshd[6826]: Server listening on 0.0.0.0 port 77. Feb 03 15:14:29 autofs_client sshd[6826]: Server listening on :: port 77. |
Check if you are listenning on new port wich is 77 in our case. I am using tcp connection not udp you can check it with netstat –anup | grep –i ssh command.
1 2 3 |
[root@autofs_client ~]# netstat -antp | grep -i ssh tcp 0 0 0.0.0.0:77 0.0.0.0:* LISTEN 6826/sshd tcp6 0 0 :::77 :::* LISTEN 6826/sshd |
From “oldest “ server or an other one, while try to establish an ssh connection port 22 shows “connection refused” message. It’is normal because we changed to port number. Whereas port 77 shows “No route to host”.
[root@oldest ~]# ssh 192.168.38.153
ssh: connect to host 192.168.38.153 port 22: Connection refused
[root@oldest ~]# ssh 192.168.38.153 -p 77
ssh: connect to host 192.168.38.153 port 77: No route to host
It’s of course not related with you routing table but your firewall setting on the source server.
We are using firewall in public zone. We need to add port 77 to this zone.
1 2 3 4 5 6 |
[root@autofs_client ~]# firewall-cmd --get-active-zones public interfaces: ens33 [root@autofs_client ~]# firewall-cmd --add-port=77/tcp --zone=public --permanent Success |
Then restart the firewall service and check if port 77 is there.
1 2 3 |
[root@autofs_client ~]# systemctl restart firewalld.service [root@autofs_client ~]# firewall-cmd --list-ports 77/tcp |
Everything seems to be okay till now. We can try connect our server.
Yes it’s working!
[…] Selinux tutorial for ssh connection […]