Description of problem: I have AVC denial when starting NetworkManager-vpnc (see attached output from gnome-terminal). I have generated this SELinux module which looks to make things working again: module myvpncnamebind 1.0; require { type inetd_t; type ircd_port_t; type vpnc_t; type ipsecnat_port_t; class tcp_socket name_bind; class udp_socket name_bind; } #============= inetd_t ============== allow inetd_t ircd_port_t:tcp_socket name_bind; #============= vpnc_t ============== allow vpnc_t ipsecnat_port_t:udp_socket name_bind; Version-Release number of selected component (if applicable): [root@viklef matej]# rpm -qa \*bind\* \*vpnc\* \*selinux\* selinux-policy-targeted-3.0.8-24.fc8 libselinux-devel-2.0.37-1.fc8 bind-libs-9.5.0-15.a6.fc8 selinux-policy-3.0.8-24.fc8 vpnc-0.5.1-1.fc8 rpcbind-0.1.4-11.fc8 libselinux-python-2.0.37-1.fc8 bind-9.5.0-15.a6.fc8 libselinux-2.0.37-1.fc8 bind-utils-9.5.0-15.a6.fc8 ypbind-1.20.4-2.fc8 NetworkManager-vpnc-0.7.0-0.3.svn2970.fc8 How reproducible: 100% Steps to Reproduce: 1.run NetworkManager-vpnc 2. 3. Actual results: find AVC denial in /var/log/audit/audit.log Expected results: there shouldn't be one Additional info:
Created attachment 232081 [details] a lot of confused information I got from my computer
Somebody from the happy party around this bug maybe interested in bug 339191 as well.
It seems that there are two mixed things together - I don't think that vpnc has anything with inetd_t and ircd_port_t. The other access of course should be allowed otherwise vpnc cannot work properly behind NAT.
Tom, I am sorry that this bug went to you, but I was really not sure who of the long list of possible candidates for this bug is at fault. I have finally decided for vpnc (after all, that's what SELinux broke), but add a long list of other people to Cc: hoping that somebdy will take over the bug, if it is his. Concerning the first item, yes apparently only this policy is enough: [root@viklef ~]# cat myvpncnamebind.te module myvpncnamebind 2.0; require { type vpnc_t; type ipsecnat_port_t; class udp_socket name_bind; } #============= vpnc_t ============== allow vpnc_t ipsecnat_port_t:udp_socket name_bind; [root@viklef ~]# The other rest of the problem is IMHO the problem with Bitlbee (IRC to Jabber/MSN/AIM/Yahoo!/etc. gateway), which seems to work well with the other half of the policy module: module mybitlbee 1.0; require { type inetd_t; type ircd_port_t; class tcp_socket name_bind; } #============= inetd_t ============== allow inetd_t ircd_port_t:tcp_socket name_bind;
vpnc is fixed in selinux-policy-3.0.8-26.fc8 What tool are you using that is binding to ircd?
see my comment 5 -- it's bitlbee (packaged in Fedora as bitlbee). URL : http://www.bitlbee.org/ Summary : IRC to other chat networks gateway Description : Bitlbee is an IRC to other chat networks gateway. Bitlbee can be used as an IRC server which forwards everything you say to people on other chat networks like ICQ, MSN, Jabber or Yahoo! Basically it is a tool for geeks living in IRC all the time which allows them to communicate with their wives on less geeky IM networks while still staying in xchat. It is run as inetd service and from one side it looks like local IRC daemon (so you can connect to it as to just another IRC network with xchat) and from other sides it connects to particular IM networks. Quite cool, IMHO.
Daniel, bitlbee currently uses xinetd to bind the IRC port, but the upcoming 1.1 release will provide an own daemon and the possibility by using xinetd.