The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY
/sbin/lidsconf -A -o /etc/ssh/sshd_config -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_key -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key -j DENY
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o /etc/ssh/sshd_config -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o /etc/ssh/ssh_host_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o /etc/ssh/ssh_host_dsa_key -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_FOWNER -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
-o CAP_NET_BIND_SERVICE 22-22 -j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
-o CAP_SYS_CHROOT -j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
-o CAP_SYS_RESOURCE -j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
-o CAP_SYS_TTY_CONFIG -j GRANT |