On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote:
2009/12/28 Jorge Fábregas <jorge.fabregas(a)gmail.com>:
> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
>> Possibly needed for ssh port forwarding?
>
> I don't think this might be the reason. If someone's tech-savvy enough to
do
> port forwarding, they might as well use semanage to add the custom ports...
> I'm still clueless on why it is like this on F12 :(
Er. Port forwarding is a normal user-visible SSH feature which has
been historically enabled. The person using it may not have the
authority to change the SE linux permissions.
OTOH, I think GatewayPorts defaults to no. So SELinux could back that
up and restrict non-22 listens to localhost without changing the SSH
default configuration. Also, listens on privileged ports (<=1024) are
denied for non-root users so denying that in the SELinux policy
wouldn't be harmful.
As far as i can tell SELinux only allows bind access to unreserved ports. I think that
means > 1024. (not sure though)
It might be handy to add comments to the relevant configuration files
mentioning the SELinux limitations. It can be rather annoying when you
change a setting only to have the change mooted by some SELinux
imposed limitation. Some simple comments would go a long way in
reducing confusions.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list