Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546648 - ssh port forwarding does not work with SELinux (missing bool)
Summary: ssh port forwarding does not work with SELinux (missing bool)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
: 546646 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-04-15 01:16 UTC by schmitt953
Modified: 2015-04-16 21:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description schmitt953 2015-04-15 01:16:08 UTC 
I was unable to find a boolean for sshd_port_forward. Here are some of the avc logs:
[2401301.025918] type=1401 audit(1429061322.478:1683): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=tcp_socket
[2401301.026054] type=1401 audit(1429061322.478:1684): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
[2401301.026176] type=1401 audit(1429061322.478:1685): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

I think we just need to add a boolean to a policy.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:45:43 UTC 
Your SSH daemon is running in the wrong role. It should be using system_r, not sysadm_r.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:46:05 UTC 
*** Bug 546646 has been marked as a duplicate of this bug. ***
Comment 3 Jason Zaman gentoo-dev 2015-04-16 21:29:23 UTC 
we discussed this on IRC, the best way is to add the port with:

semanage port --add -t ssh_port_t -p tcp 1243

Im closing this, re-open is there is anything else.