No AVC when using non-standard SSH port

[Daniel J Walsh]

On 12/29/2009 06:26 AM, Dominick Grift wrote:
> On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote:
>> 2009/12/28 Jorge Fábregas <jorge.fabregas at gmail.com>:
>>> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
>>>> Possibly needed for ssh port forwarding?
>>>
>>> I don't think this might be the reason. If someone's tech-savvy enough to do
>>> port forwarding, they might as well use semanage to add the custom ports...
>>> I'm still clueless on why it is like this on F12 :(
>>
>> Er. Port forwarding is a normal user-visible SSH feature which has
>> been historically enabled. The person using it may not have the
>> authority to change the SE linux permissions.
>>
>> OTOH, I think GatewayPorts defaults to no. So SELinux could back that
>> up and restrict non-22 listens to localhost without changing the SSH
>> default configuration. Also, listens on privileged ports (<=1024) are
>> denied for non-root users so denying that in the SELinux policy
>> wouldn't be harmful.
> 
> As far as i can tell SELinux only allows bind access to unreserved ports. I think that means > 1024. (not sure though)
> 
> 
>>
>> It might be handy to add comments to the relevant configuration files
>> mentioning the SELinux limitations. It can be rather annoying when you
>> change a setting only to have the change mooted by some SELinux
>> imposed limitation. Some simple comments would go a long way in
>> reducing confusions.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Portforwardning requires allowing ssh to bind to ports > 1024.

corenet_tcp_bind_all_unreserved_ports

I guess we could add a boolean to allow this to be turned off.