No AVC when using non-standard SSH port
Dominick Grift
domg472 at gmail.com
Tue Dec 29 11:26:01 UTC 2009
On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote:
> 2009/12/28 Jorge Fábregas <jorge.fabregas at gmail.com>:
> > On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
> >> Possibly needed for ssh port forwarding?
> >
> > I don't think this might be the reason. If someone's tech-savvy enough to do
> > port forwarding, they might as well use semanage to add the custom ports...
> > I'm still clueless on why it is like this on F12 :(
>
> Er. Port forwarding is a normal user-visible SSH feature which has
> been historically enabled. The person using it may not have the
> authority to change the SE linux permissions.
>
> OTOH, I think GatewayPorts defaults to no. So SELinux could back that
> up and restrict non-22 listens to localhost without changing the SSH
> default configuration. Also, listens on privileged ports (<=1024) are
> denied for non-root users so denying that in the SELinux policy
> wouldn't be harmful.
As far as i can tell SELinux only allows bind access to unreserved ports. I think that means > 1024. (not sure though)
>
> It might be handy to add comments to the relevant configuration files
> mentioning the SELinux limitations. It can be rather annoying when you
> change a setting only to have the change mooted by some SELinux
> imposed limitation. Some simple comments would go a long way in
> reducing confusions.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091229/caba72eb/attachment.sig>
More information about the fedora-selinux-list
mailing list