-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux: provisioning policy customizations #396
Comments
CoreOS Container Linux used systemd socket activation for sshd, so the listening port was configured via systemd. Fedora CoreOS runs sshd in the traditional way, as a service that's started automatically, so you'd configure the port in This FCC will do half of the work:
But in addition,
And we don't ship |
I had already tried this but it gave the same type of error. I think that i've to configure SELinux to give access to sshd to this port. |
I think today this requires modifying the binary policy, which is going to be an issue. I'm not sure if there's a way to only change the runtime value so we can play the same "modify on boot" trick. We can look into that, but we should really get together with the SELinux folks to get this fixed properly. |
Since "semanage" is not available, how can we do it after server boot? |
@salesgroup I don't think we have a good answer for you right now. We'd have to figure out how to do what semanage does without running semanage. We have some gaps here on how to manipulate selinux policy in a way that makes more sense for Fedora CoreOS. Ideally any changes to selinux policy would be able to be configured via plain text files that are laid down using Ignition. Possible workarounds (all are bad):
None of those are great answers. We have a similar problem with selinux booleans. As a group we need to talk to the SELinux team and find a path forward for the "lay down config via plain text files" approach. |
@salesgroup do any of those proposed workaround unblock you? |
I have also stumbled across this issue since I need to move the SSH server away from port 22 - it was already in use for Git SSH on a legacy CoreOS installation. I decided to follow the workaround of running I have uploaded the actual script, systemd dropin and resulting ignition config parts to this gist. |
@icedream Thanks for the example! Fedora CoreOS, unlike Container Linux, doesn't use socket activation for sshd, so enabling |
For completeness the hacky way (idea from: #396 (comment) ) using proxying 2222 to 22: - name: ssh-proxy.service
enabled: true
contents: |
[Unit]
Description=SSH Proxy
Wants=network-online.target
After=network-online.target
[Install]
WantedBy=multi-user.target
[Service]
Type=notify
KillMode=mixed
TimeoutStartSec=0
Restart=always
RestartSec=5s
ExecStart=/usr/bin/socat TCP4-LISTEN:2222,reuseaddr,fork TCP4:127.0.0.1:22 |
We are starting the migration from CoreOS to Fedora CoreOS.
No documentation (from Fedora CoreOS) about changing the SSH ports.
So we tried this:
https://coreos.com/os/docs/latest/customizing-sshd.html#changing-the-sshd-port-1
file: /etc/systemd/system/sshd.socket.d/10-sshd-listen-ports.conf
But we got this error:
systemd[14685]: sshd.socket: Failed to create listening socket ([::]:12221): Permission denied
Seems related with SElinux.
How can we change the sshd port?
The text was updated successfully, but these errors were encountered: