Bug 220059

Summary: selinux doesn't allow openvpn to start on nonstandard udp port
Product: [Fedora] Fedora Reporter: Marco Colombo <marco>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-18 20:03:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marco Colombo 2006-12-18 18:27:34 UTC 
Description of problem:
I'm running openvpn on nonstandard port (udp). I've added the new port (999) to
port-type database, and now it shows the correct type:
# semanage port -l | fgrep openvpn
openvpn_port_t                 udp      999, 1194

When I start openvpn I get the following avc message:
kernel: audit(1166466194.583:26): avc:  denied  { net_bind_service } for 
pid=2963 comm="openvpn" capability=10 scontext=root:system_r:openvpn_t:s0
tcontext=root:system_r:openvpn_t:s0 tclass=capability

I'm not getting what triggers it.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-7.fc6
openvpn-2.1-0.14.beta16.fc6

How reproducible:
always

Steps to Reproduce:
1. Configure a tunnel based on UDP on a different port than 1194.
2. Start the openvpn service.
  
Actual results:
openvpn fails to start

Expected results:
selinux should allow openvpn to use nonstandard ports

Additional info:
Very likely some other selinux magic is missing, but I can't really figure out
which one. The avc is not port specific, yet it does not occur with port 1194.
Comment 1 Daniel Walsh 2006-12-18 20:03:37 UTC 
I believe that in order for a process to open a port < 1024, they require
net_bind_service.  So if you want openvpn to work on this port, you need to
write some quick local policy

audit2allow -M myopenvpn < /var/log/audit/audit.log

If you change to use a port > 1024 this change will not be necessary.
Comment 2 Marco Colombo 2006-12-19 09:55:26 UTC 
Ok, thanks a lot.
Now I think 'net_bind_service' is somehow decieving, 'net_bind_privileged' would
be a better name for it, at least to me, but it's definitely a minor issue.
Comment 3 Daniel Walsh 2006-12-19 14:23:56 UTC 
Blame the kernel guys,  We use their names.  I am just a simple userspace hacker.

:^)
Comment 4 Marco Colombo 2006-12-19 15:13:17 UTC 
Eh, I knew that Daniel, no worries. B-)
BTW, I've learned something new on audit2allow (-M option, very useful!)


Here's the complete solution to run openvpn on port 999(udp). Nothing new here,
I'm adding this for reference only:

The following command is needed for any port (but 1194 of course):

# semanage port -a -p udp -t openvpn_port_t 999

The following commands are also needed only if port is privileged, that is < 1024

# yum install selinux-policy-devel

# mkdir selinux_local

# cd selinux_local

# vi local.te

# cat local.te
module local 1.0;

require {
        class capability net_bind_service;
        type openvpn_t;
};

allow openvpn_t self:capability net_bind_service;

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod

# ls
local.fc  local.if  local.pp  local.te  tmp

# semodule -i local.pp

I tend to keep all local policy modifications (if small) in a single local
module. The reference policy makes it very easy.