Hello.
I have a guest user with the guest_t domain. I want this user to connect
the network only for a few of allowed ports. It works when user connects
to the host by ssh and tries to connect network, but not when it tries
to do it using ssh port forwarding.
By default, the sshd policy allows the sshd daemon to connect any tcp
port: there is the string in ssh.if file in ssh_server_template definition:
corenet_tcp_connect_all_ports($1_t)
I comment this string and recompile the module,but port forwarding wtill
works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
httpd_port_t is not enabled by this module, but only dns, ldap, and a
bunch of other ports not including any http port.
This request:
sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect
gives me the same port list as in .tmp file(dns and ldap) and two
strings with those cryptic @ttr which I cannot understand.
Adding
auditallow domain port_type:tcp_socket name_connect;
makes the record in logs when I connect to forwarded port:
type=AVC msg=audit(1276082912.292:133): avc: granted { name_connect }
for pid=4872 comm="sshd" dest=80
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Steps I do to make forwarding:
ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
wget 'http://localhost:9234'
and see, that file is loaded, so port forwarding happens.
I've also tried to change the sshd_t for other name to make sure it's
not allowed directly somewhere in the base policy or other modules. It's
not.
So, I have 2 questions here:
1. Shouldn't the ssh forwarding be the boolean in the policy?
2. What should I modify now(or how to find, what to modify) to deny sshd
connects to ports at all?
--
Regards,
Sergey Noskov
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
