Bug 656813 - selinux should allow sshd port forwarding by default
selinux should allow sshd port forwarding by default
Status: CLOSED DUPLICATE of bug 653579
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
14
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-24 03:13 EST by Tim Taiwanese Liim
Modified: 2010-11-24 07:35 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-24 07:35:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Taiwanese Liim 2010-11-24 03:13:17 EST
Description of problem:
    Starting F14, sshd no longer allows port forwarding by default.
    The error msg to the user is rather obscure; ssh would only say
        channel 3: open failed: administratively prohibited: open failed
    leaving the user (me, that is) clueless as to where the issue arises.

    Can we restore the previous behavior in F13 (allow ssh port
    forwarding by default)?  Like this
        # setsebool -P sshd_forward_ports 1


Version-Release number of selected component (if applicable):
    selinux-policy-3.9.7-12.fc14

How reproducible:
    always

Steps to Reproduce:
    1. ssh -L1234:0:5678 <remote ip>
       # assume <remote ip> has TCP port 5678 open
    2. telnet 0 1234
  
Actual results:
    ssh says
        channel 3: open failed: administratively prohibited: open failed
    with "ssh -vvv", it says
        debug1: sys_tun_open: failed to configure tunnel (mode 1): Operation 
                not permitted
        Tunnel device open failed.
        Could not request tunnel forwarding.

Expected results:
    sshd should allow port forwarding and "telnet 0 1234" should be
    connected to <remote ip>:5678.

Additional info:
    1. See also http://forums.fedoraforum.org/showthread.php?t=254170
    2. "getsebool sshd_forward_ports" returns
       sshd_forward_ports --> off
Comment 1 Tim Taiwanese Liim 2010-11-24 03:13:41 EST
Workaround:
Eventually I did "tail -f /var/log/messages" and saw this msg
     Nov 24 02:23:06 vyam setroubleshoot: SELinux is preventing
     /usr/sbin/sshd "name_connect" access on <Unknown>. For complete
     SELinux messages. run sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179
and "sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179" told me to
     # setsebool -P sshd_forward_ports 1
which fixed the issue.
Comment 2 Miroslav Grepl 2010-11-24 07:35:01 EST

*** This bug has been marked as a duplicate of bug 653579 ***

Note You need to log in before you can comment on or make changes to this bug.