656813 – selinux should allow sshd port forwarding by default

Bug 656813 - selinux should allow sshd port forwarding by default

Summary: selinux should allow sshd port forwarding by default

Keywords:
Status:	CLOSED DUPLICATE of bug 653579
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-24 08:13 UTC by Tim Taiwanese Liim
Modified:	2010-11-24 12:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-11-24 12:35:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tim Taiwanese Liim 2010-11-24 08:13:17 UTC

Description of problem:
    Starting F14, sshd no longer allows port forwarding by default.
    The error msg to the user is rather obscure; ssh would only say
        channel 3: open failed: administratively prohibited: open failed
    leaving the user (me, that is) clueless as to where the issue arises.

    Can we restore the previous behavior in F13 (allow ssh port
    forwarding by default)?  Like this
        # setsebool -P sshd_forward_ports 1


Version-Release number of selected component (if applicable):
    selinux-policy-3.9.7-12.fc14

How reproducible:
    always

Steps to Reproduce:
    1. ssh -L1234:0:5678 <remote ip>
       # assume <remote ip> has TCP port 5678 open
    2. telnet 0 1234
  
Actual results:
    ssh says
        channel 3: open failed: administratively prohibited: open failed
    with "ssh -vvv", it says
        debug1: sys_tun_open: failed to configure tunnel (mode 1): Operation 
                not permitted
        Tunnel device open failed.
        Could not request tunnel forwarding.

Expected results:
    sshd should allow port forwarding and "telnet 0 1234" should be
    connected to <remote ip>:5678.

Additional info:
    1. See also http://forums.fedoraforum.org/showthread.php?t=254170
    2. "getsebool sshd_forward_ports" returns
       sshd_forward_ports --> off

Comment 1 Tim Taiwanese Liim 2010-11-24 08:13:41 UTC

Workaround:
Eventually I did "tail -f /var/log/messages" and saw this msg
     Nov 24 02:23:06 vyam setroubleshoot: SELinux is preventing
     /usr/sbin/sshd "name_connect" access on <Unknown>. For complete
     SELinux messages. run sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179
and "sealert -l 2ac9d527-18a0-4efc-81fd-3d3694aef179" told me to
     # setsebool -P sshd_forward_ports 1
which fixed the issue.

Comment 2 Miroslav Grepl 2010-11-24 12:35:01 UTC


*** This bug has been marked as a duplicate of bug 653579 ***

Note You need to log in before you can comment on or make changes to this bug.