Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Cannot turn off port forwarding for sshd (http://www.linux-archive.org/fedora-selinux-support/389118-cannot-turn-off-port-forwarding-sshd.html)

Sergey Noskov 06-21-2010 11:00 AM

Cannot turn off port forwarding for sshd
 
Hello.

I have a guest user with the guest_t domain. I want this user to connect
the network only for a few of allowed ports. It works when user connects
to the host by ssh and tries to connect network, but not when it tries
to do it using ssh port forwarding.

By default, the sshd policy allows the sshd daemon to connect any tcp
port: there is the string in ssh.if file in ssh_server_template definition:

corenet_tcp_connect_all_ports($1_t)

I comment this string and recompile the module,but port forwarding wtill
works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
httpd_port_t is not enabled by this module, but only dns, ldap, and a
bunch of other ports not including any http port.

This request:

sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect

gives me the same port list as in .tmp file(dns and ldap) and two
strings with those cryptic @ttr which I cannot understand.

Adding

auditallow domain port_type:tcp_socket name_connect;

makes the record in logs when I connect to forwarded port:

type=AVC msg=audit(1276082912.292:133): avc: granted { name_connect }
for pid=4872 comm="sshd" dest=80
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

Steps I do to make forwarding:

ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
wget 'http://localhost:9234'
and see, that file is loaded, so port forwarding happens.

I've also tried to change the sshd_t for other name to make sure it's
not allowed directly somewhere in the base policy or other modules. It's
not.

So, I have 2 questions here:
1. Shouldn't the ssh forwarding be the boolean in the policy?
2. What should I modify now(or how to find, what to modify) to deny sshd
connects to ports at all?

--
Regards,
Sergey Noskov


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 06-22-2010 01:07 PM

Cannot turn off port forwarding for sshd
 
On 06/21/2010 07:00 AM, Sergey Noskov wrote:
> Hello.
>
> I have a guest user with the guest_t domain. I want this user to connect
> the network only for a few of allowed ports. It works when user connects
> to the host by ssh and tries to connect network, but not when it tries
> to do it using ssh port forwarding.
>
> By default, the sshd policy allows the sshd daemon to connect any tcp
> port: there is the string in ssh.if file in ssh_server_template definition:
>
> corenet_tcp_connect_all_ports($1_t)
>
> I comment this string and recompile the module,but port forwarding wtill
> works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
> httpd_port_t is not enabled by this module, but only dns, ldap, and a
> bunch of other ports not including any http port.
>
> This request:
>
> sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect
>
> gives me the same port list as in .tmp file(dns and ldap) and two
> strings with those cryptic @ttr which I cannot understand.
>
> Adding
>
> auditallow domain port_type:tcp_socket name_connect;
>
> makes the record in logs when I connect to forwarded port:
>
> type=AVC msg=audit(1276082912.292:133): avc: granted { name_connect }
> for pid=4872 comm="sshd" dest=80
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>
> Steps I do to make forwarding:
>
> ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
> wget 'http://localhost:9234'
> and see, that file is loaded, so port forwarding happens.
>
> I've also tried to change the sshd_t for other name to make sure it's
> not allowed directly somewhere in the base policy or other modules. It's
> not.
>
> So, I have 2 questions here:
> 1. Shouldn't the ssh forwarding be the boolean in the policy?
Probably.
> 2. What should I modify now(or how to find, what to modify) to deny sshd
> connects to ports at all?
>
Send me a patch with the boolean defined.



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Sergey Noskov 06-29-2010 05:45 AM

Cannot turn off port forwarding for sshd
 
On 22/06/10 17:07, Daniel J Walsh wrote:
>> So, I have 2 questions here:
>> 1. Shouldn't the ssh forwarding be the boolean in the policy?
> Probably.
>> 2. What should I modify now(or how to find, what to modify) to deny sshd
>> connects to ports at all?
>>
> Send me a patch with the boolean defined.
I could do this, but only after I find where the problem is, because I
still can't disable forwarding. I'm trying to comment the line that for
sure enables it(see my first message), but forwarding still works and I
cannot find any other line, that could probably do that.

Finding the place, where it's enabled is the help I'm currently asking for.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 07-12-2010 05:46 PM

Cannot turn off port forwarding for sshd
 
On 06/29/2010 01:45 AM, Sergey Noskov wrote:
> On 22/06/10 17:07, Daniel J Walsh wrote:
>>> So, I have 2 questions here:
>>> 1. Shouldn't the ssh forwarding be the boolean in the policy?
>> Probably.
>>> 2. What should I modify now(or how to find, what to modify) to deny sshd
>>> connects to ports at all?
>>>
>> Send me a patch with the boolean defined.
> I could do this, but only after I find where the problem is, because I
> still can't disable forwarding. I'm trying to comment the line that for
> sure enables it(see my first message), but forwarding still works and I
> cannot find any other line, that could probably do that.
>
> Finding the place, where it's enabled is the help I'm currently asking for.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi I am just back from vacation. Sorry for not getting back to you sooner.


I am adding sshd_forward_ports boolean to Rawhide.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.