Re: No AVC when using non-standard SSH port

2009/12/28 Jorge Fábregas <jorge.fabregas(a)gmail.com&gt;: > On Saturday 26 December 2009 08:41:56 Matthew Miller wrote: >> Possibly needed for ssh port forwarding? > > I don't think this might be the reason. If someone's tech-savvy enough to do > port forwarding, they might as well use semanage to add the custom ports... > I'm still clueless on why it is like this on F12 :( Er. Port forwarding is a normal user-visible SSH feature which has been historically enabled. The person using it may not have the authority to change the SE linux permissions. OTOH, I think GatewayPorts defaults to no. So SELinux could back that up and restrict non-22 listens to localhost without changing the SSH default configuration. Also, listens on privileged ports (<=1024) are denied for non-root users so denying that in the SELinux policy wouldn't be harmful.

It might be handy to add comments to the relevant configuration files mentioning the SELinux limitations. It can be rather annoying when you change a setting only to have the change mooted by some SELinux imposed limitation. Some simple comments would go a long way in reducing confusions. -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list