commit: 7ac185ee67556768743991f953476fb8c6c80bf2 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Mon May 2 19:37:06 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 18:41:55 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac185ee
ssh: add tunable to allow sshd to use remote port forwarding Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/ssh.if | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index b9ed26bc..c438985e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -174,6 +174,14 @@ template(`ssh_server_template', ` attribute ssh_server; type sshd_exec_t, sshd_key_t; ') + + ## <desc> + ## <p> + ## Allow sshd to use remote port forwarding (bind to any TCP port) + ## </p> + ## </desc> + gen_tunable($1_port_forwarding, false) + type $1_t, ssh_server; auth_login_pgm_domain($1_t) @@ -265,6 +273,10 @@ template(`ssh_server_template', ` fs_read_cifs_files($1_t) ') + tunable_policy(`$1_port_forwarding',` + corenet_tcp_bind_all_ports($1_t) + ') + optional_policy(` kerberos_use($1_t) kerberos_manage_host_rcache($1_t)