Bug 656813

Summary: selinux should allow sshd port forwarding by default
Product: [Fedora] Fedora Reporter: Tim Taiwanese Liim <tim.liim>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-24 12:35:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Taiwanese Liim 2010-11-24 08:13:17 UTC 
Description of problem:
    Starting F14, sshd no longer allows port forwarding by default.
    The error msg to the user is rather obscure; ssh would only say
        channel 3: open failed: administratively prohibited: open failed
    leaving the user (me, that is) clueless as to where the issue arises.

    Can we restore the previous behavior in F13 (allow ssh port
    forwarding by default)?  Like this
        # setsebool -P sshd_forward_ports 1


Version-Release number of selected component (if applicable):
    selinux-policy-3.9.7-12.fc14

How reproducible:
    always

Steps to Reproduce:
    1. ssh -L1234:0:5678 <remote ip>
       # assume <remote ip> has TCP port 5678 open
    2. telnet 0 1234
  
Actual results:
    ssh says
        channel 3: open failed: administratively prohibited: open failed
    with "ssh -vvv", it says
        debug1: sys_tun_open: failed to configure tunnel (mode 1): Operation 
                not permitted
        Tunnel device open failed.
        Could not request tunnel forwarding.

Expected results:
    sshd should allow port forwarding and "telnet 0 1234" should be
    connected to <remote ip>:5678.

Additional info:
    1. See also http://forums.fedoraforum.org/showthread.php?t=254170
    2. "getsebool sshd_forward_ports" returns
       sshd_forward_ports --> off
Comment 1 Tim Taiwanese Liim 2010-11-24 08:13:41 UTC 
Workaround:
Eventually I did "tail -f /var/log/messages" and saw this msg
     Nov 24 02:23:06 vyam setroubleshoot: SELinux is preventing
     /usr/sbin/sshd "name_connect" access on <Unknown>. For complete
     SELinux messages. run sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179
and "sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179" told me to
     # setsebool -P sshd_forward_ports 1
which fixed the issue.
Comment 2 Miroslav Grepl 2010-11-24 12:35:01 UTC 

*** This bug has been marked as a duplicate of bug 653579 ***