Re: Cannot turn off port forwarding for sshd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/21/2010 07:00 AM, Sergey Noskov wrote:
> Hello.
>
> I have a guest user with the guest_t domain. I want this user to connect
> the network only for a few of allowed ports. It works when user connects
> to the host by ssh and tries to connect network, but not when it tries
> to do it using ssh port forwarding.
>
> By default, the sshd policy allows the sshd daemon to connect any tcp
> port: there is the string in ssh.if file in ssh_server_template definition:
>
> corenet_tcp_connect_all_ports($1_t)
>
> I comment this string and recompile the module,but port forwarding wtill
> works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
> httpd_port_t is not enabled by this module, but only dns, ldap, and a
> bunch of other ports not including any http port.
>
> This request:
>
> sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect
>
> gives me the same port list as in .tmp file(dns and  ldap) and two
> strings with those cryptic @ttr which I cannot understand.
>
> Adding
>
> auditallow domain port_type:tcp_socket name_connect;
>
> makes the record in logs when I connect to forwarded port:
>
> type=AVC msg=audit(1276082912.292:133): avc:  granted  { name_connect }
> for  pid=4872 comm="sshd" dest=80
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>
> Steps I do to make forwarding:
>
> ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
> wget 'http://localhost:9234'
> and see, that file is loaded, so port forwarding happens.
>
> I've also tried to change the sshd_t for other name to make sure it's
> not allowed directly somewhere in the base policy or other modules. It's
> not.
>
> So, I have 2 questions here:
> 1. Shouldn't the ssh forwarding be the boolean in the policy?
Probably.
> 2. What should I modify now(or how to find, what to modify) to deny sshd
> connects to ports at all?
>
Send me a patch with the boolean defined.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux