What does SELinux do for SSH?

SELinux controls SSH port binding, restricts file access, confines the SSHD process in a secure domain (sshd_t), and allows for dynamic control of SSH behavior using boolean flags. This enhances system security by reducing the risk of compromise.

How can I check which ports SSH is allowed to use under SELinux?

Use the command `semanage port -l | grep ssh` to list all ports that SELinux allows SSH to bind to.

What SELinux domain does sshd run under?

By default, the sshd daemon runs under the 'sshd_t' domain, which applies a strict policy to limit what the process can do, reducing the attack surface.

How do I see all SSH-related SELinux booleans?

Run the command `getsebool -a | grep ssh` to view all SSH-related SELinux boolean settings and their current status.

Is SELinux necessary for SSH security?

While SSH is secure by design, enabling SELinux provides an additional layer of access control, policy enforcement, and containment, which significantly strengthens system hardening and reduces risk.

HiddenSSH - Secure OpenSSH Hardening

selinux - Security-Enhanced Linux, Kernel security module with policies.

What SELinux Does for SSH:

Controls SSH Port Binding – Limits which ports SSH can use (semanage port -l).
Restricts File Access – Prevents unauthorized SSH key or configuration file modifications.
Confines SSHD Process – Runs SSH in a restricted domain (sshd_t), preventing privilege escalation.
Supports Boolean Rules – Enables/Disables SSH features dynamically (getsebool -a | grep ssh).

When enabled, SELinux it enhances SSH security, making it harder for attackers to compromise the system.

Basic SELinux Commands

SELinux Status

SELinux Mode: status.

sestatus

Shows whether SELinux is enabled, enforcing, or permissive.

SELinux Mode: Disable.

setenforce 0

Switches SELinux to permissive mode (logs but does not enforce policies).

SELinux Mode: Enforce.

setenforce 1

Switches SELinux back to enforcing mode.

SELinux Mode: boot-time, Enforce.

This is set in the file: /etc/selinux/config it will set SELinux to Enforce mode when booting automatically.

SELINUX=enforcing

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELinux Mode: boot-time, Permissive.

This is set in the file: /etc/selinux/config it will set SELinux to Permissive mode when booting automatically.

SELINUX=Permissive


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=Permissive
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELinux Mode: boot-time, Disable.

This is set in the file: /etc/selinux/config it will Disable SELinux at boot automatically.

SELINUX=disabled


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELinux Ports

List and Manage SELinux Ports

Show Allowed Ports

semanage port -l | grep ssh

Allow Custom Ports, 2222.

semanage port -a -t ssh_port_t -p tcp 2222

sebool - SELinux booleans

The term "sebool" is not a standard or official name but rather shorthand sometimes used informally to refer to SELinux booleans or the tools (`getsebool`/`setsebool`) that manage them.

SELinux booleans are on/off switches that modify policy behavior at runtime, allowing flexible security adjustments without policy rewriting.

Lists SELinux booleans related to SSH.

getsebool -a | grep ssh

Turn ON/OFF, boolens.

setsebool -P allow_ssh_keysign off

Turning off allow_ssh_keysign disables host-based authentication that uses the server’s host keys for signing data, reducing potential attack vectors.

It doesn’t impact authorized_keys, which store individual user keys.

SELinux labeling

SELinux file security assigns unique labels to every file—including individual user files, home directories, and web server content—to enforce granular access permissions under defined policies.

Show File labels "ls -Z"

ls -Z /path/to/file

Displays SELinux security context for files.

Fix Incorrect SELinux Labels

restorecon -Rv /path/to/directory

Resets files to correct SELinux labels.

Allow a Service to Access a Directory

chcon -R -t httpd_sys_content_t /custom/path

If SELinux blocks a service like Apache or SSH from accessing /custom/path, this should solve it.

This example is for httpd, seein in the httpd* part

SELinux Labels types

SELinux Labels for User Home Directories and SSH/sshd

Typically, these labels include:

user_home_dir_t: Applied to user home directories.
user_home_t: Label for files within user home directories.
ssh_home_t: Used for .ssh directories and related files.
ssh_exec_t: Applied to the SSH client executable.
sshd_exec_t: Label for the SSH daemon executable.
sshd_config_t: For SSH daemon configuration files.

Note: These labels can vary slightly depending on the distribution and SELinux policy version.

chcon -R -t ssh_home_t /home/youruser/.ssh

SELinux SSH Hardening

SELinux Hardening

Check Permanent SELinux Booleans

semanage boolean -l | grep ssh

Everything should look like this, unless you have specific needs.

fenced_can_ssh (off, off) – Allow fenced to can ssh
selinuxuser_use_ssh_chroot (off, off) – Allow selinuxuser to use ssh chroot
ssh_chroot_rw_homedirs (off, off) – Allow ssh to chroot rw homedirs
ssh_keysign (off, off) – Allow ssh to keysign
ssh_sysadm_login (off, off) – Allow ssh to sysadm login
ssh_use_tcpd (off, off) – Allow ssh to use tcpd
virt_qemu_ga_manage_ssh (off, off) – Allow virt to qemu ga manage ssh

Check So SSH is only allowed to run 22

semanage port -a -t ssh_port_t -p tcp 2222

It should look like this:

ssh_port_t – Protocol: tcp, Port: 22

    Basics of SELinux
  