Hello,
I'm having a interresting SELinux problem that I can't figure out how to solve.
The context:
This is on a server running in our DMZ and it is providing file transfer services to our client using different protocols. The machine has a system IP and a service IP. The service IP is used to receive all customer traffic (a external IP is NAT'ed to the service IP by the firewall). The system IP is used by us to do all management.
We first setup FTPS access over the regular FTP ports, but as most of you know FTP is not the most firewall friendly protocol because the need of a seperate data channel and using encryption prevents firewalls to open up the needed port automatically.
Se we also started to setup SFTP access to the same repository. We initially tried to do this using the regular OpenSSH setup, but the way OpenSSH does chroot'ing (we enable chroot in all setups) is not compatible with the way we have setup our data repository. So we switched to using ProFTPD for the SFTP service.
This of course means that we have bind OpenSSH to the internal system IP on port 22 and ProFTPD to the service IP also on port 22.
The problem:
The problem is that I cannot get SELinux to allow the use of port 22 by these 2 daemons which run under different types (sshd_t & ftpd_t).
I can use the semanage command to allow one type to use port 22, but not both at the same time. I use this command: semanage port -m -t ssh_port_t -p tcp 22
Since this is a system accessible on the internet and because of the protocols used I ofcourse do not want to disable SELinux here.
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
Thank you, Tim
-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83
Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
Hi,
On Jun 27, 2013, at 7:06 AM, Tim Verhoeven tim.verhoeven.be@gmail.com wrote:
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
Why not use different ports?
Bryan
On Thu, Jun 27, 2013 at 1:28 PM, Bryan Harris bryanlharris@me.com wrote:
On Jun 27, 2013, at 7:06 AM, Tim Verhoeven tim.verhoeven.be@gmail.com wrote:
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
Why not use different ports?
That is of course a easy workaround. But changing the port on the service IP would mean that the all customers would need to access SFTP over a non standard port and the purpose of the whole exercise was to provide a file transfer service over a simple standard port. Port 22 ticks all the boxes ;)
And changing the port for the internal IP would mean that that server would be the only one running SSH over a different port, making it none standard and require a lot of custom work for all our management scripts.
Regards, Tim
P.S.: Oh, forgot to mention, this is on CentOS 6.4
-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83
Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
On 2013-06-27 7:37 AM, Tim Verhoeven wrote:
That is of course a easy workaround. But changing the port on the service IP would mean that the all customers would need to access SFTP over a non standard port and the purpose of the whole exercise was to provide a file transfer service over a simple standard port. Port 22 ticks all the boxes ;) And changing the port for the internal IP would mean that that server would be the only one running SSH over a different port, making it none standard and require a lot of custom work for all our management scripts.
I thought the "standard port" for FTP over SSL (ftps) was 989 ?
http://www.iana.org/assignments/service-names-port-numbers/service-names-por...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/27/2013 10:44 AM, Darr247 wrote:
On 2013-06-27 7:37 AM, Tim Verhoeven wrote:
That is of course a easy workaround. But changing the port on the service IP would mean that the all customers would need to access SFTP over a non standard port and the purpose of the whole exercise was to provide a file transfer service over a simple standard port. Port 22 ticks all the boxes ;) And changing the port for the internal IP would mean that that server would be the only one running SSH over a different port, making it none standard and require a lot of custom work for all our management scripts.
I thought the "standard port" for FTP over SSL (ftps) was 989 ?
http://www.iana.org/assignments/service-names-port-numbers/service-names-por...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Looks like you are right. Not sure why no one ever hit this before.
3e203bce34765e020591aca9a1c0b883c42d6122 fixes this in git.
Miroslav can you back port this to F18, F19, RHEL*.
Oops... I guess that should be port 990 (989 appears to be for the ftps data socket[s]).
On Thu, Jun 27, 2013 at 1:35 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Thu, 2013-06-27 at 13:06 +0200, Tim Verhoeven wrote:
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
Use audit2allow to allow the service(s) to operate on the port
I could do that if there would be any AVC denies in the audit log about this, but there aren't any. So audit2allow does not help me much.
Regards, Tim
-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83
Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
On Thu, 2013-06-27 at 13:40 +0200, Tim Verhoeven wrote:
On Thu, Jun 27, 2013 at 1:35 PM, Dominick Grift dominick.grift@gmail.com wrote:
On Thu, 2013-06-27 at 13:06 +0200, Tim Verhoeven wrote:
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
Use audit2allow to allow the service(s) to operate on the port
I could do that if there would be any AVC denies in the audit log about this, but there aren't any. So audit2allow does not help me much.
Then use semodule -DB to build/install the policy without "dontaudit" rules, and then reproduce the issue. Then look for related avc denials again. After testing run semodule -B to build/install the policy with "dontaudit" rules reinserted.
Regards, Tim
-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83
Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
On Thu, Jun 27, 2013 at 01:06:37PM +0200, Tim Verhoeven wrote:
So how can I allow SELinux to let both openssh and proftpd use port 22 at the same time?
What about using a pre-routing iptables rule to change the port number before it hits the daemon so you can have the two daemons listening on different ports, but the world sees them on the same ports?
selinux@lists.fedoraproject.org
-
Bryan Harris -
Chuck Anderson -
Daniel J Walsh -
Darr247 -
Dominick Grift -
Tim Verhoeven