FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-26-2009, 02:40 AM
Jorge Fábregas
 
Default No AVC when using non-standard SSH port

Hello everyone,

I'm using Fedora 12 and was wondering why, If I I run my sshd on a non-
standard port...why don't SELinux registers an access violation?

I see that "ssh_port_t" is there (attached to port 22) ... Is this not
implemented yet for SSHD?

Thanks,
Jorge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-26-2009, 03:27 AM
Chuck Anderson
 
Default No AVC when using non-standard SSH port

On Fri, Dec 25, 2009 at 11:40:23PM -0400, Jorge Fábregas wrote:
> I'm using Fedora 12 and was wondering why, If I I run my sshd on a non-
> standard port...why don't SELinux registers an access violation?
>
> I see that "ssh_port_t" is there (attached to port 22) ... Is this not
> implemented yet for SSHD?

On F11, I was required to use this policy to bind sshd to a
non-standard port. I haven't upgraded this particular system to F12
yet, so I'm not sure if it is required there.

policy_module(sshd, 1.0)

require {
type sshd_t;
}

#============= sshd_t ==============
corenet_tcp_bind_http_port(sshd_t)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-26-2009, 10:27 AM
Dominick Grift
 
Default No AVC when using non-standard SSH port

On Fri, Dec 25, 2009 at 11:40:23PM -0400, Jorge Fábregas wrote:
> Hello everyone,
>
> I'm using Fedora 12 and was wondering why, If I I run my sshd on a non-
> standard port...why don't SELinux registers an access violation?
>
> I see that "ssh_port_t" is there (attached to port 22) ... Is this not
> implemented yet for SSHD?


Hi,

Good question. It seems that the policy maintainer decided to allow sshd_t to all unreserved ports.

corenet_tcp_bind_all_unreserved_ports($1_t) in ssh_server_template services/ssh.if

I dont know why and i rather not allow it to bind to all unreserved port by default either,

>
> Thanks,
> Jorge
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-26-2009, 11:41 AM
Matthew Miller
 
Default No AVC when using non-standard SSH port

On Sat, Dec 26, 2009 at 12:27:28PM +0100, Dominick Grift wrote:
> > I'm using Fedora 12 and was wondering why, If I I run my sshd on a non-
> > standard port...why don't SELinux registers an access violation?
> > I see that "ssh_port_t" is there (attached to port 22) ... Is this not
> > implemented yet for SSHD?
> Good question. It seems that the policy maintainer decided to allow sshd_t to all unreserved ports.
> corenet_tcp_bind_all_unreserved_ports($1_t) in ssh_server_template services/ssh.if
> I dont know why and i rather not allow it to bind to all unreserved port by default either,

Possibly needed for ssh port forwarding?

--
Matthew Miller mattdm@mattdm.org <http://mattdm.org/>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 12:55 AM
Jorge Fábregas
 
Default No AVC when using non-standard SSH port

On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
> Possibly needed for ssh port forwarding?

I don't think this might be the reason. If someone's tech-savvy enough to do
port forwarding, they might as well use semanage to add the custom ports...
I'm still clueless on why it is like this on F12

Best regards,
Jorge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 06:06 AM
Gregory Maxwell
 
Default No AVC when using non-standard SSH port

2009/12/28 Jorge Fábregas <jorge.fabregas@gmail.com>:
> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
>> Possibly needed for ssh port forwarding?
>
> I don't think this might be the reason. If someone's tech-savvy enough to do
> port forwarding, they might as well use semanage to add the custom ports...
> I'm still clueless on why it is like this on F12

Er. Port forwarding is a normal user-visible SSH feature which has
been historically enabled. The person using it may not have the
authority to change the SE linux permissions.

OTOH, I think GatewayPorts defaults to no. So SELinux could back that
up and restrict non-22 listens to localhost without changing the SSH
default configuration. Also, listens on privileged ports (<=1024) are
denied for non-root users so denying that in the SELinux policy
wouldn't be harmful.

It might be handy to add comments to the relevant configuration files
mentioning the SELinux limitations. It can be rather annoying when you
change a setting only to have the change mooted by some SELinux
imposed limitation. Some simple comments would go a long way in
reducing confusions.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-29-2009, 10:26 AM
Dominick Grift
 
Default No AVC when using non-standard SSH port

On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote:
> 2009/12/28 Jorge Fábregas <jorge.fabregas@gmail.com>:
> > On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
> >> Possibly needed for ssh port forwarding?
> >
> > I don't think this might be the reason. If someone's tech-savvy enough to do
> > port forwarding, they might as well use semanage to add the custom ports...
> > I'm still clueless on why it is like this on F12
>
> Er. Port forwarding is a normal user-visible SSH feature which has
> been historically enabled. The person using it may not have the
> authority to change the SE linux permissions.
>
> OTOH, I think GatewayPorts defaults to no. So SELinux could back that
> up and restrict non-22 listens to localhost without changing the SSH
> default configuration. Also, listens on privileged ports (<=1024) are
> denied for non-root users so denying that in the SELinux policy
> wouldn't be harmful.

As far as i can tell SELinux only allows bind access to unreserved ports. I think that means > 1024. (not sure though)


>
> It might be handy to add comments to the relevant configuration files
> mentioning the SELinux limitations. It can be rather annoying when you
> change a setting only to have the change mooted by some SELinux
> imposed limitation. Some simple comments would go a long way in
> reducing confusions.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-30-2009, 01:19 PM
Daniel J Walsh
 
Default No AVC when using non-standard SSH port

On 12/29/2009 06:26 AM, Dominick Grift wrote:
> On Tue, Dec 29, 2009 at 02:06:37AM -0500, Gregory Maxwell wrote:
>> 2009/12/28 Jorge Fábregas <jorge.fabregas@gmail.com>:
>>> On Saturday 26 December 2009 08:41:56 Matthew Miller wrote:
>>>> Possibly needed for ssh port forwarding?
>>>
>>> I don't think this might be the reason. If someone's tech-savvy enough to do
>>> port forwarding, they might as well use semanage to add the custom ports...
>>> I'm still clueless on why it is like this on F12
>>
>> Er. Port forwarding is a normal user-visible SSH feature which has
>> been historically enabled. The person using it may not have the
>> authority to change the SE linux permissions.
>>
>> OTOH, I think GatewayPorts defaults to no. So SELinux could back that
>> up and restrict non-22 listens to localhost without changing the SSH
>> default configuration. Also, listens on privileged ports (<=1024) are
>> denied for non-root users so denying that in the SELinux policy
>> wouldn't be harmful.
>
> As far as i can tell SELinux only allows bind access to unreserved ports. I think that means > 1024. (not sure though)
>
>
>>
>> It might be handy to add comments to the relevant configuration files
>> mentioning the SELinux limitations. It can be rather annoying when you
>> change a setting only to have the change mooted by some SELinux
>> imposed limitation. Some simple comments would go a long way in
>> reducing confusions.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Portforwardning requires allowing ssh to bind to ports > 1024.

corenet_tcp_bind_all_unreserved_ports

I guess we could add a boolean to allow this to be turned off.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 11:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org