commit: 7c465c1b14081fd92f63475ce39cdefbc2cc92c4
Author: Antonio Enrico Russo <aerusso <AT> aerusso <DOT> net>
AuthorDate: Sat Mar 8 00:53:33 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:55 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c465c1b
ssh: allow connection to any port
Many ssh servers run on nonstandard ports. Introduce a tunable to allow
connections made to arbitrary ports.
Signed-off-by: Antonio Enrico Russo <aerusso <AT> aerusso.net>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ssh.te | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index f5f15fd1e..53edd405e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -26,6 +26,13 @@ gen_tunable(ssh_sysadm_login, false)
## </desc>
gen_tunable(ssh_use_gpg_agent, false)
+## <desc>
+## <p>
+## Allow ssh to connect to arbitrary port
+## </p>
+## </desc>
+gen_tunable(ssh_connect_any_port, false)
+
attribute ssh_server;
attribute ssh_agent_type;
@@ -177,6 +184,10 @@ userdom_read_user_tmp_files(ssh_t)
# ssh re-executes itself during ProxyJump
ssh_exec(ssh_t)
+tunable_policy(`ssh_connect_any_port',`
+ corenet_tcp_connect_all_ports(ssh_t)
+')
+
tunable_policy(`allow_ssh_keysign',`
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')
