The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY /sbin/lidsconf -A -o /etc/ssh/sshd_config -j DENY /sbin/lidsconf -A -o /etc/ssh/ssh_host_key -j DENY /sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key -j DENY /sbin/lidsconf -A -s /usr/sbin/sshd \ -o /etc/ssh/sshd_config -j READONLY /sbin/lidsconf -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_key -j READONLY /sbin/lidsconf -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_dsa_key -j READONLY /sbin/lidsconf -A -s /usr/sbin/sshd \ -o /var/log/wtmp -j WRITE /sbin/lidsconf -A -s /usr/sbin/sshd \ -o /var/log/lastlog -j WRITE /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_SETUID -j GRANT /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_SETGID -j GRANT /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_FOWNER -j GRANT /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_CHOWN -j GRANT /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsconf -A -s /usr/sbin/sshd \ -o CAP_NET_BIND_SERVICE 22-22 -j GRANT /sbin/lidscond -A -s /usr/sbin/sshd \ -o CAP_SYS_CHROOT -j GRANT /sbin/lidscond -A -s /usr/sbin/sshd \ -o CAP_SYS_RESOURCE -j GRANT /sbin/lidscond -A -s /usr/sbin/sshd \ -o CAP_SYS_TTY_CONFIG -j GRANT |