Bug 220059 - selinux doesn't allow openvpn to start on nonstandard udp port
selinux doesn't allow openvpn to start on nonstandard udp port
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-18 13:27 EST by Marco Colombo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-18 15:03:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marco Colombo 2006-12-18 13:27:34 EST
Description of problem:
I'm running openvpn on nonstandard port (udp). I've added the new port (999) to
port-type database, and now it shows the correct type:
# semanage port -l | fgrep openvpn
openvpn_port_t                 udp      999, 1194

When I start openvpn I get the following avc message:
kernel: audit(1166466194.583:26): avc:  denied  { net_bind_service } for 
pid=2963 comm="openvpn" capability=10 scontext=root:system_r:openvpn_t:s0
tcontext=root:system_r:openvpn_t:s0 tclass=capability

I'm not getting what triggers it.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-7.fc6
openvpn-2.1-0.14.beta16.fc6

How reproducible:
always

Steps to Reproduce:
1. Configure a tunnel based on UDP on a different port than 1194.
2. Start the openvpn service.
  
Actual results:
openvpn fails to start

Expected results:
selinux should allow openvpn to use nonstandard ports

Additional info:
Very likely some other selinux magic is missing, but I can't really figure out
which one. The avc is not port specific, yet it does not occur with port 1194.
Comment 1 Daniel Walsh 2006-12-18 15:03:37 EST
I believe that in order for a process to open a port < 1024, they require
net_bind_service.  So if you want openvpn to work on this port, you need to
write some quick local policy

audit2allow -M myopenvpn < /var/log/audit/audit.log

If you change to use a port > 1024 this change will not be necessary.
Comment 2 Marco Colombo 2006-12-19 04:55:26 EST
Ok, thanks a lot.
Now I think 'net_bind_service' is somehow decieving, 'net_bind_privileged' would
be a better name for it, at least to me, but it's definitely a minor issue.
Comment 3 Daniel Walsh 2006-12-19 09:23:56 EST
Blame the kernel guys,  We use their names.  I am just a simple userspace hacker.

:^)
Comment 4 Marco Colombo 2006-12-19 10:13:17 EST
Eh, I knew that Daniel, no worries. B-)
BTW, I've learned something new on audit2allow (-M option, very useful!)


Here's the complete solution to run openvpn on port 999(udp). Nothing new here,
I'm adding this for reference only:

The following command is needed for any port (but 1194 of course):

# semanage port -a -p udp -t openvpn_port_t 999

The following commands are also needed only if port is privileged, that is < 1024

# yum install selinux-policy-devel

# mkdir selinux_local

# cd selinux_local

# vi local.te

# cat local.te
module local 1.0;

require {
        class capability net_bind_service;
        type openvpn_t;
};

allow openvpn_t self:capability net_bind_service;

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod

# ls
local.fc  local.if  local.pp  local.te  tmp

# semodule -i local.pp

I tend to keep all local policy modifications (if small) in a single local
module. The reference policy makes it very easy.

Note You need to log in before you can comment on or make changes to this bug.