File suse_modifications_ssh.patch of Package selinux-policy.37503

Index: serefpolicy-20140730/policy/modules/services/ssh.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/ssh.te
+++ serefpolicy-20140730/policy/modules/services/ssh.te
@@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false)
 ## </desc>
 gen_tunable(ssh_chroot_rw_homedirs, false)
 
+## <desc>
+## <p>
+## Allow sshd to forward port connections. This should work
+## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48
+## but it doesn't
+## </p>
+## </desc>
+##
+gen_tunable(sshd_forward_ports, false)
+
 attribute ssh_dyntransition_domain;
 attribute ssh_server;
 attribute ssh_agent_type;
@@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t)
 corenet_tcp_bind_vnc_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+tunable_policy(`sshd_forward_ports',`
+	corenet_tcp_bind_all_unreserved_ports(sshd_t)
+	corenet_tcp_connect_all_ports(sshd_t)
+')
+
 auth_exec_login_program(sshd_t)
 
 userdom_read_user_home_content_files(sshd_t)
@@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_
 userdom_signal_unpriv_users(sshd_t)
 userdom_dyntransition_unpriv_users(sshd_t)
 
+allow sshd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(sshd_t)
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to