| Summary: | policy too strict for openvpn | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ferry Huberts <mailings> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, jimis, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-18 20:31:18 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Yes, we allow openvpn to connect to these ports # sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT If you set up your own port, you will need to add a local policy. sealert should tell you all options which you have. (In reply to comment #1) > Yes, we allow openvpn to connect to these ports what ports? I had to add my TE explicitly... > > # sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT > which gives me: allow openvpn_t openvpn_port_t : tcp_socket { name_bind name_connect } ; allow openvpn_t dns_port_t : tcp_socket { recv_msg send_msg name_connect } ; allow openvpn_t http_cache_port_t : tcp_socket name_connect ; allow openvpn_t http_port_t : tcp_socket { name_bind name_connect } ; allow openvpn_t ephemeral_port_t : tcp_socket name_connect ; allow openvpn_t tor_socks_port_t : tcp_socket name_connect ; allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg name_connect } ; ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [ allow_kerberos ] ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ allow_kerberos ] (with my own policy added!) > If you set up your own port, you will need to add a local policy. sealert > should tell you all options which you have. yeah, that's what I said ;-) I think NM should tell me about it and (even better) do it for me. the actual BUG is that NM allows you to set it all up and then when you try to use it, it _silently_ fails... It's a major usability issue/bug. please reopen Seconded: the actual BUG is that NM allows you to set it all up and then when you try to use it, it _silently_ fails... It's a major usability issue/bug. please reopen |
Created attachment 548108 [details] TE Description of problem: I have a VPN setup in which the clients must connect to a non-default port. The current policy does not allow that. Version-Release number of selected component (if applicable): selinux-policy.noarch 3.10.0-64.fc16 How reproducible: always Steps to Reproduce: 1. in network manager setup an OpenVPN connection to a non-default (custom) port 2. try to connect 3. permission denied (in /var/log/messages), avc: type=AVC msg=audit(1324070540.199:1360): avc: denied { name_connect } for pid=23236 comm="openvpn" dest=XXXXX scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket Actual results: avc Expected results: vpn connection Additional info: I use a tcp connection, so the attached te mentions that as well maybe a policy boolean that is switched when a custom port is used, or maybe a new piece of policy for the used custom port (see attached), or maybe just loosen up the policy?