Description of problem: A recent feature of SSH allows it to use tunnel devices to create a "real" VPN, tunnelling at the TCP level. Look at the ssh manpage for the "tunnel" keyword or the "-w" option for more info. The targeted policy as in package selinux-policy-targeted-3.0.8-47.fc8 prevents it to do that, I had to add the following semodule : --------------------------------------------------- module sshtun 1.0; require { type tun_tap_device_t; type sshd_t; class chr_file { read write }; } #============= sshd_t ============== allow sshd_t tun_tap_device_t:chr_file { read write }; --------------------------------------------------- Could it be added to the default policy, at least as a boolean ? How reproducible: Always Steps to Reproduce: 1. try to use ssh -w 2. see it fail with 'Cannot find device "tun0"' on the client and the AVC type=AVC msg=audit(1194943676.655:2288): avc: denied { read write } for pid=31774 comm="sshd" name="tun" dev=tmpfs ino=5440 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file on the server
Oh, sorry, that was a little early. The actually working sshtun.te file is the following: ----------------------------------------------- module sshtun 1.0; require { type tun_tap_device_t; type sshd_t; class capability net_admin; class chr_file { read write ioctl }; } #============= sshd_t ============== allow sshd_t self:capability net_admin; allow sshd_t tun_tap_device_t:chr_file { read write ioctl }; ----------------------------------------------- Thanks
Fixed in selinux-policy-3.0.8-54.fc8
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.