FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-21-2010, 11:00 AM
Sergey Noskov
 
Default Cannot turn off port forwarding for sshd

Hello.

I have a guest user with the guest_t domain. I want this user to connect
the network only for a few of allowed ports. It works when user connects
to the host by ssh and tries to connect network, but not when it tries
to do it using ssh port forwarding.

By default, the sshd policy allows the sshd daemon to connect any tcp
port: there is the string in ssh.if file in ssh_server_template definition:

corenet_tcp_connect_all_ports($1_t)

I comment this string and recompile the module,but port forwarding wtill
works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
httpd_port_t is not enabled by this module, but only dns, ldap, and a
bunch of other ports not including any http port.

This request:

sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect

gives me the same port list as in .tmp file(dns and ldap) and two
strings with those cryptic @ttr which I cannot understand.

Adding

auditallow domain port_type:tcp_socket name_connect;

makes the record in logs when I connect to forwarded port:

type=AVC msg=audit(1276082912.292:133): avc: granted { name_connect }
for pid=4872 comm="sshd" dest=80
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:http_port_t:s0 tclass=tcp_socket

Steps I do to make forwarding:

ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
wget 'http://localhost:9234'
and see, that file is loaded, so port forwarding happens.

I've also tried to change the sshd_t for other name to make sure it's
not allowed directly somewhere in the base policy or other modules. It's
not.

So, I have 2 questions here:
1. Shouldn't the ssh forwarding be the boolean in the policy?
2. What should I modify now(or how to find, what to modify) to deny sshd
connects to ports at all?

--
Regards,
Sergey Noskov


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-22-2010, 01:07 PM
Daniel J Walsh
 
Default Cannot turn off port forwarding for sshd

On 06/21/2010 07:00 AM, Sergey Noskov wrote:
> Hello.
>
> I have a guest user with the guest_t domain. I want this user to connect
> the network only for a few of allowed ports. It works when user connects
> to the host by ssh and tries to connect network, but not when it tries
> to do it using ssh port forwarding.
>
> By default, the sshd policy allows the sshd daemon to connect any tcp
> port: there is the string in ssh.if file in ssh_server_template definition:
>
> corenet_tcp_connect_all_ports($1_t)
>
> I comment this string and recompile the module,but port forwarding wtill
> works. I also grep the tmp/ssh.tmp file to be sure, that access, i.e. to
> httpd_port_t is not enabled by this module, but only dns, ldap, and a
> bunch of other ports not including any http port.
>
> This request:
>
> sesearch -SC --allow -s sshd_t -c tcp_socket -p name_connect
>
> gives me the same port list as in .tmp file(dns and ldap) and two
> strings with those cryptic @ttr which I cannot understand.
>
> Adding
>
> auditallow domain port_type:tcp_socket name_connect;
>
> makes the record in logs when I connect to forwarded port:
>
> type=AVC msg=audit(1276082912.292:133): avc: granted { name_connect }
> for pid=4872 comm="sshd" dest=80
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:http_port_t:s0 tclass=tcp_socket
>
> Steps I do to make forwarding:
>
> ssh -L 9234:any-www-host:80 -f -p 22 -l guest -N my-selinux-host
> wget 'http://localhost:9234'
> and see, that file is loaded, so port forwarding happens.
>
> I've also tried to change the sshd_t for other name to make sure it's
> not allowed directly somewhere in the base policy or other modules. It's
> not.
>
> So, I have 2 questions here:
> 1. Shouldn't the ssh forwarding be the boolean in the policy?
Probably.
> 2. What should I modify now(or how to find, what to modify) to deny sshd
> connects to ports at all?
>
Send me a patch with the boolean defined.



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-29-2010, 05:45 AM
Sergey Noskov
 
Default Cannot turn off port forwarding for sshd

On 22/06/10 17:07, Daniel J Walsh wrote:
>> So, I have 2 questions here:
>> 1. Shouldn't the ssh forwarding be the boolean in the policy?
> Probably.
>> 2. What should I modify now(or how to find, what to modify) to deny sshd
>> connects to ports at all?
>>
> Send me a patch with the boolean defined.
I could do this, but only after I find where the problem is, because I
still can't disable forwarding. I'm trying to comment the line that for
sure enables it(see my first message), but forwarding still works and I
cannot find any other line, that could probably do that.

Finding the place, where it's enabled is the help I'm currently asking for.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-12-2010, 05:46 PM
Daniel J Walsh
 
Default Cannot turn off port forwarding for sshd

On 06/29/2010 01:45 AM, Sergey Noskov wrote:
> On 22/06/10 17:07, Daniel J Walsh wrote:
>>> So, I have 2 questions here:
>>> 1. Shouldn't the ssh forwarding be the boolean in the policy?
>> Probably.
>>> 2. What should I modify now(or how to find, what to modify) to deny sshd
>>> connects to ports at all?
>>>
>> Send me a patch with the boolean defined.
> I could do this, but only after I find where the problem is, because I
> still can't disable forwarding. I'm trying to comment the line that for
> sure enables it(see my first message), but forwarding still works and I
> cannot find any other line, that could probably do that.
>
> Finding the place, where it's enabled is the help I'm currently asking for.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi I am just back from vacation. Sorry for not getting back to you sooner.


I am adding sshd_forward_ports boolean to Rawhide.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org