Fedora Security :: Selinux Policy Blocking Outbound Ports For Sshd
May 25, 2011
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
View 2 Replies
ADVERTISEMENT
Mar 6, 2010
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
View 10 Replies
View Related
Jul 24, 2011
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
View 2 Replies
View Related
Jul 8, 2009
I am running Fedora 11 and every time i plug in my iPod it tells me... SELinux is preventing mkdir (podsleuth_t) "read" security_t ... I have no idea on how to create a policy module to allow access.
View 2 Replies
View Related
Nov 20, 2009
I just upgraded from 11 to 12 and then installed the Nvidia proprietary drivers from RPMFusion. Initially glxinfo wouldn't work because SELinux was stopping it from using an executable stack. Since the Nvidia drivers are proprietary and a fix may not be provided, I allowed this access to glxinfo with chcon -t execmem_exec_t '/usr/bin/glxinfo'
However it looks like every program using glx-utils also needs these permissions - so far I allowed Xorg, compiz and the Firefox video plugin to execstack. Can anyone suggest a fix for this - preferably one that avoids execstack for all those apps since its a security risk. If not how do I create an SELinux policy to automatically grant apps execstack while they use glxinfo or other nVidia libraries but not at other times.
View 2 Replies
View Related
Mar 15, 2009
SElinux is blocking my internet connection and every time when I connect t the internet (pppoe connection) I ge message.
View 2 Replies
View Related
Feb 3, 2011
When I turn on my SeLinux to enforcing mode on my Red Hat system ssh stops working and my http server stops responding.
I went into the SeLinux GUI and enabled things in there but still it wont work.
Any thoughts on what to check?
permissive mode and disabled they work
I read several articles that say it should not be affect by SeLinux and the setting look correct but the only thing I do is turn on SeLinux and ssh /httpd stop working
ps -eZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 432 ? 00:00:00 sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2426 ? 00:00:00 sshd
[root@goxsa1340 ~]# ps -eZ | grep httpd
user_u:system_r:httpd_t 3044 ? 00:00:00 httpd
[Code].....
View 11 Replies
View Related
Feb 9, 2011
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
View 1 Replies
View Related
Apr 1, 2010
After reading a lot about networking and security I decided to check the security of my own ubuntu box. So I went installing Nmap and discovered that port 139 was "open". Since I 'd read how to use ufw I created a deny rule for port 139. After a second scan with Nmap it still said that port 139 was open as shown below.
[Code]...
View 9 Replies
View Related
Feb 20, 2010
I just updated my system via yum and got an odd output after selinux-policy-targeted package finished updating.
Code:
Updating : selinux-policy-3.6.32-89.fc12.noarch 14/80
Updating : selinux-policy-targeted-3.6.32-89.fc12.noarch 15/80
/etc/mock/koji* /etc/rc.d/init.d/dirsrv* /srv/git* /usr/autodesk/maya2010-x64/lib /usr/lib{64,}/nagios/plugins/check_mailq /usr/sbin/ns-slapd /usr/share/e16/misc* /usr/share/shorewall/compiler.pl /var/cache/cgit* /var/lib/git* /var/lib/koji* /var/www/git/gitweb.cgi /var/www/git/gitweb.cgi
Does anyone knows what that means?
View 2 Replies
View Related
Mar 12, 2009
when I try to connect to internet SELinux give my a preventing NetworkManager here is what its say:
Code:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp
(ppp_device_t).
[Code]....
View 2 Replies
View Related
Aug 17, 2010
Is there a way to configure my interface to promisc mode and also make it not capture the "transmitted" packets. ?I mean, i want the interface in Promisc mode but only for inbound traffic.If there isnt any using ifconfig, can it be by configuring eth0 to promisc using ifconfig , and filtering outbound traffic from being captured using sockets or something ?
View 4 Replies
View Related
Dec 1, 2009
I can not stablish PPTP VPN because SELinux blocking Network Manager.
I get the following:
Summary: SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to ./reso
Code:
I'm attaching complete alert.
View 1 Replies
View Related
Jun 17, 2010
I am trying to configure my live install of fedora so a PC on the same intranet can access it by hostname instead of by IP address.After I installed bind, I realized the man pages recommended against bind and said instead to enable SELinux named. I tried to guess what variables to set after googling and studying the documentation and coming up empty. I used getsebool -a, and tried turning one and all on.I test using:nslookup myhostname on the linux box, since if that is working it isnt surprising that the windows box cant see it. what buttons to push to enable SELinux named, as described in fedora 13 man page for bin slight correction, the man page is for named. It says to remove the bind-chroot and use SElinux to enable named. I think I also have to create a new zone. This seems akin to proving fermats last theorem but less rewarding. anyone know what keys to push for either. I did get system-config-selinux running. I thought it was in an infinite loop but it does *eventually* load a gui. Also if you set a boolean it will grab all CPU for a couple of minutes. (used top in another terminal).
View 5 Replies
View Related
Feb 14, 2011
I'm trying to ssh into my Ubuntu box, but the connection is getting denied.
When I look at /var/log/auth.log, I see the following:
Code:
I googled for this, and ran across the following: [url]
Here's the part that I think relates to the problem that I'm having:
Quote:
It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.
View 3 Replies
View Related
Feb 1, 2010
I have in /etc/selinux/config:
Code:
SELINUX=enforcing
SELINUXTYPE=mls
Do I have MLS enabled? I can't use Selinux commands. I thought MLS is sort of package to Selinux. I fallowed this:
Code:
[code].....
View 3 Replies
View Related
Dec 17, 2010
I'v just installed wicd. I can't get it to sart, I get errors saying that wicd couldn't connect to it's dbus interface and the wicd deamon has shut down. Then there's a report from SELinux saying that it's preventing /usr/bin/python "write" access on /etc/dhcp/manager-settings.conf and that access is denied to wicd. I can get wicd to start if I su to root, but I'd like to not have to do that every time I boot. Is there a fix?
View 1 Replies
View Related
May 17, 2011
How to separate sftp and ssh and run on different ports.
i.e.
a) sftp on port x
b) ssh on port 22
I searched from the web and there are no detailed instructions. They suggested something like separating sshd_config into two files (file A and file B) and run two instances. Each instance points to its configuration file.
However, they didnt write down the detailed procedure of:
a) how to modify file A and file B (i.e. which line should insert specific commands)?
b) how to run two instances?
c) how to point each instance to its config file.
I am using Linux CentOS and the latest open-ssh.
View 4 Replies
View Related
Jan 5, 2010
FC12 with recent updates The bugzilla I reported is fixed in selinux 3.6.32-66 and I have 3.6.32-56. I refreshed the repositories and looked for 66 and it is not listed. Question - how often does the policy changes get posted to the repositories ? And are the repositories the normal place to get the latest and greatest ?
View 2 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Mar 9, 2011
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
View 2 Replies
View Related
Feb 18, 2011
I have an sshd server up and running (F13 64bit) I'd like to connect to a pc that's behind a firewall using ssh tunnelling, so I have something like
ssh -R 1234:127.0.0.1:22 myuser@mypc
then from mypc I can succesfully login to the remote pc. I have just une question. How can I list the ssh active connections and the forwarded ports ?
I've only got to
netstat -tunva
but this returns only (filtered)
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:172.16.0.XXX:22 ::ffff:172.16.1.XXX:60744 ESTABLISHED
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
View 4 Replies
View Related
Jun 14, 2010
i am trying to install centos 5.5 x86_64 as a guest OS in vmware server 2.0.2 using netinstall iso. Installation runs fine until the point, when it tries to install selinux-policy-targeted-2.4.6-279.el5.noarch, the whole virtual pc hangs at this.any ideas? i tried to google few things about this, but i have found nothing. this has happened 3 times in row, whole virtual pc always hangs at the same package. i dont have any other problems with vmware, gentoo runs and installs fine in it.i would prefer to do installation using netinstall.iso, it would take a lot of time to download all cds or whole dvd and all i require is a very basic set of packages.
View 7 Replies
View Related
Jun 2, 2011
I'm having an issue where a server in CA (1000/full) and in VA (100/full) have very lopsided data transfer.
CA -> VA with iperf shows ~20Mbps
VA -> CA with iperf shows ~93Mbps
If we change the CA server to 100/FULL, transfer speed is 93Mbps both ways.
Some tuning was done to TCP window scaling parameters, but it won't correct the issue, just improve the CA -> VA numbers to what is listed above. I will say, turning TCP window scaling OFF will lower the transfer speed both ways to < 20Mbps.
The only clue I have when looking at wireshark dumps is that the window scale going OUT would never go past 10240 (scale is 8, so 2^8 x 40bytes). In the opposite direction, the window size will go above 3MB (scaled).
It is not a bandwidth problem as iperf with UDP shows 93Mbps both ways. Local transfers (CA 1000/full to CA 100/full) show full speed both ways, so I feel it is strictly related to TCP window scaling.
RedHat 5 64-bit on both sides. Any ideas why it won't scale above 10240?
View 7 Replies
View Related
Oct 20, 2010
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
View 3 Replies
View Related
Nov 10, 2010
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
View 10 Replies
View Related
Jan 17, 2011
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
View 11 Replies
View Related
Apr 30, 2011
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
View 2 Replies
View Related
Apr 14, 2010
In fedora 12 how can i configure the system such that a particular user can browse only selected web sites.
View 9 Replies
View Related
Jul 15, 2010
I want to ask about securing the FTP connection... I have one server that Installed with Redhat Linux Fedora 6.
And now, i want to securing the FTP access, so only the selected IP will be allowed to connect. Do anyone know how to do this?
Another thing is, my server using Webmin 1.3 to manage the server and there not installed / not configured yet with Frox FTP, ProFTPD Server, WU-FTP Server... even there is such thing in my Webmin...
Can i make use one of the three FTP i mention above, and if yes, will it be affecting the current FTP access?
View 1 Replies
View Related
