Change Details

Fedora SELinux policy offers an exemption tunable to allow SSHD to connect to external servers. This changes enables it for the bastion role. Policy is defined in policy/modules/system/authlogin.te as is: `corenet_tcp_connect_http_port(login_pgm)` References: - https://bugzilla.redhat.com/show_bug.cgi?id=841693 - https://github.com/fedora-selinux/selinux-policy/commit/944db72223a1d4137ad8470a4ded38441f97ac24 This configuration block is currently no-op in production, as we don't have any Fedora bastion currently (CentOS is used for Docker engines, but these are not intended to get bastion role).

Fedora SELinux policy offers an exemption tunable to allow a TCP connection to external servers. This changes enables it for the bastion role. Policy is defined in policy/modules/system/authlogin.te as is: `corenet_tcp_connect_http_port(login_pgm)` References: - https://bugzilla.redhat.com/show_bug.cgi?id=841693 - https://github.com/fedora-selinux/selinux-policy/commit/944db72223a1d4137ad8470a4ded38441f97ac24 This configuration block is currently no-op in production, as we don't have any Fedora bastion currently (CentOS is used for Docker engines, but these are not intended to get bastion role).

Fedora SELinux policy offers an exemption tunable to allow SSHD toa TCP connection to external servers. This changes enables it for the bastion role. Policy is defined in policy/modules/system/authlogin.te as is: `corenet_tcp_connect_http_port(login_pgm)` References: - https://bugzilla.redhat.com/show_bug.cgi?id=841693 - https://github.com/fedora-selinux/selinux-policy/commit/944db72223a1d4137ad8470a4ded38441f97ac24 This configuration block is currently no-op in production, as we don't have any Fedora bastion currently (CentOS is used for Docker engines, but these are not intended to get bastion role).