Description of problem: The -R option of ssh allows it to open a listening TCP port on the server, which would be tunnelled back to the client. Please look at the -R option in the ssh man page for more info, it is well described there. The targeted policy as in package selinux-policy-targeted-3.0.8-47.fc8 prevents the server from listening on the specified port (which could be any port), so I had to add the following semodule to re-enable this feature : ------------------------------------- module sshanyport 1.0; require { type sshd_t; type port_t; class tcp_socket name_bind; } #============= sshd_t ============== allow sshd_t port_t:tcp_socket name_bind; ------------------------------------- Please add it to the default policy, or make it tunable by a boolean. Thanks. How reproducible: Always Steps to Reproduce: 1. ssh -R2222:127.0.0.1:22 user@server 2. watch it fail on the client and on the server with the following AVC: type=AVC msg=audit(1194894279.908:1794): avc: denied { name_bind } for pid=14773 comm="sshd" src=2222 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Fixed in selinux-policy-3.0.8-54.fc8
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.