[gridengine users] SOLVED: selinux and qlogin

bergman at merctech.com bergman at merctech.com
Fri Jun 1 22:51:24 UTC 2018


We're setting up SoGE (8.1.6) to establish qlogin sessions to interactive
nodes running CentOS7, with SELinux enabled.

A long-standing issue with qlogin is that it launches the listening ssh
daemon on random ports. The question about restricting qlogin to use
a specific range of ports for ssh has come up before, in the context
of firewalls and network security, and the usual answer is that it's
'secure' enough and doesn't need to a defined port range because it's
within a private network inside the cluster.

However, SELinux denies sshd from even listening on ports that haven't
been labeled as "sshd_port_t". Since the ports used by qlogin when
running "sshd -i" are unknown in advance, it is impractical to label
all unreserved and ephemeral ports for exclusive use by sshd.

The solution is to add SElinux rules to allow sshd_t to use those
ports. The rules (as expressed in a 'type enforcement' file) are:

--------------------------------------------
module qlogin-sshd 1.0;

require {
	type ephemeral_port_t;
	type initrc_t;
	type unreserved_port_t;
}

allow sshd_t unreserved_port_t:tcp_socket { name_bind name_connect };
allow sshd_t ephemeral_port_t:tcp_socket { name_bind name_connect };
allow sshd_net_t initrc_t:tcp_socket { read write };
--------------------------------------------

		(Many thanks to https://serverfault.com/questions/828642/rhel7-selinux-problems-trying-to-run-sshd-via-xinetd-sshd-net-t-transition-cau)

Mark




More information about the users mailing list