Bug 379531 - SSH can't create tunnel device
SSH can't create tunnel device
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-11-13 03:56 EST by Aurelien Bompard
Modified: 2008-01-30 14:07 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:07:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aurelien Bompard 2007-11-13 03:56:57 EST
Description of problem:
A recent feature of SSH allows it to use tunnel devices to create a "real" VPN,
tunnelling at the TCP level.

Look at the ssh manpage for the "tunnel" keyword or the "-w" option for more info.

The targeted policy as in package selinux-policy-targeted-3.0.8-47.fc8 prevents
it to do that, I had to add the following semodule :
module sshtun 1.0;

require {
        type tun_tap_device_t;
        type sshd_t;
        class chr_file { read write };

#============= sshd_t ==============
allow sshd_t tun_tap_device_t:chr_file { read write };

Could it be added to the default policy, at least as a boolean ?

How reproducible:

Steps to Reproduce:
1. try to use ssh -w
2. see it fail with 'Cannot find device "tun0"' on the client and the AVC

type=AVC msg=audit(1194943676.655:2288): avc:  denied  { read write } for 
pid=31774 comm="sshd" name="tun" dev=tmpfs ino=5440
tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

on the server
Comment 1 Aurelien Bompard 2007-11-13 04:04:12 EST
Oh, sorry, that was a little early. The actually working sshtun.te file is the
module sshtun 1.0;

require {
        type tun_tap_device_t;
        type sshd_t;
        class capability net_admin;
        class chr_file { read write ioctl };

#============= sshd_t ==============
allow sshd_t self:capability net_admin;
allow sshd_t tun_tap_device_t:chr_file { read write ioctl };

Comment 2 Daniel Walsh 2007-11-13 14:59:09 EST
Fixed in selinux-policy-3.0.8-54.fc8
Comment 3 Daniel Walsh 2008-01-30 14:07:00 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.