commit: 7ac185ee67556768743991f953476fb8c6c80bf2
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May 2 19:37:06 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac185ee
ssh: add tunable to allow sshd to use remote port forwarding
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ssh.if | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index b9ed26bc..c438985e 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -174,6 +174,14 @@ template(`ssh_server_template', `
attribute ssh_server;
type sshd_exec_t, sshd_key_t;
')
+
+ ## <desc>
+ ## <p>
+ ## Allow sshd to use remote port forwarding (bind to any TCP port)
+ ## </p>
+ ## </desc>
+ gen_tunable($1_port_forwarding, false)
+
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
@@ -265,6 +273,10 @@ template(`ssh_server_template', `
fs_read_cifs_files($1_t)
')
+ tunable_policy(`$1_port_forwarding',`
+ corenet_tcp_bind_all_ports($1_t)
+ ')
+
optional_policy(`
kerberos_use($1_t)
kerberos_manage_host_rcache($1_t)
