Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 546648

Summary: ssh port forwarding does not work with SELinux (missing bool)
Product: Gentoo Linux Reporter: schmitt953
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description schmitt953 2015-04-15 01:16:08 UTC 
I was unable to find a boolean for sshd_port_forward. Here are some of the avc logs:
[2401301.025918] type=1401 audit(1429061322.478:1683): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=tcp_socket
[2401301.026054] type=1401 audit(1429061322.478:1684): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
[2401301.026176] type=1401 audit(1429061322.478:1685): security_compute_sid:  invalid context root:sysadm_r:sshd_t:s0-s0:c0.c1023 for scontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sshd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

I think we just need to add a boolean to a policy.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:45:43 UTC 
Your SSH daemon is running in the wrong role. It should be using system_r, not sysadm_r.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:46:05 UTC 
*** Bug 546646 has been marked as a duplicate of this bug. ***
Comment 3 Jason Zaman gentoo-dev 2015-04-16 21:29:23 UTC 
we discussed this on IRC, the best way is to add the port with:

semanage port --add -t ssh_port_t -p tcp 1243

Im closing this, re-open is there is anything else.