No AVC when using non-standard SSH port
Gregory Maxwell
gmaxwell at gmail.com
Tue Dec 29 07:06:37 UTC 2009
2009/12/28 Jorge Fábregas <jorge.fabregas at gmail.com>:
> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
>> Possibly needed for ssh port forwarding?
>
> I don't think this might be the reason. If someone's tech-savvy enough to do
> port forwarding, they might as well use semanage to add the custom ports...
> I'm still clueless on why it is like this on F12 :(
Er. Port forwarding is a normal user-visible SSH feature which has
been historically enabled. The person using it may not have the
authority to change the SE linux permissions.
OTOH, I think GatewayPorts defaults to no. So SELinux could back that
up and restrict non-22 listens to localhost without changing the SSH
default configuration. Also, listens on privileged ports (<=1024) are
denied for non-root users so denying that in the SELinux policy
wouldn't be harmful.
It might be handy to add comments to the relevant configuration files
mentioning the SELinux limitations. It can be rather annoying when you
change a setting only to have the change mooted by some SELinux
imposed limitation. Some simple comments would go a long way in
reducing confusions.
More information about the fedora-selinux-list
mailing list