On 12/29/2009 06:26 AM, Dominick Grift wrote: > On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote: >> 2009/12/28 Jorge Fábregas <jorge.fabregas@xxxxxxxxx>: >>> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote: >>>> Possibly needed for ssh port forwarding? >>> >>> I don't think this might be the reason. If someone's tech-savvy enough to do >>> port forwarding, they might as well use semanage to add the custom ports... >>> I'm still clueless on why it is like this on F12 :( >> >> Er. Port forwarding is a normal user-visible SSH feature which has >> been historically enabled. The person using it may not have the >> authority to change the SE linux permissions. >> >> OTOH, I think GatewayPorts defaults to no. So SELinux could back that >> up and restrict non-22 listens to localhost without changing the SSH >> default configuration. Also, listens on privileged ports (<=1024) are >> denied for non-root users so denying that in the SELinux policy >> wouldn't be harmful. > > As far as i can tell SELinux only allows bind access to unreserved ports. I think that means > 1024. (not sure though) > > >> >> It might be handy to add comments to the relevant configuration files >> mentioning the SELinux limitations. It can be rather annoying when you >> change a setting only to have the change mooted by some SELinux >> imposed limitation. Some simple comments would go a long way in >> reducing confusions. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list Portforwardning requires allowing ssh to bind to ports > 1024. corenet_tcp_bind_all_unreserved_ports I guess we could add a boolean to allow this to be turned off. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
