Bug 339181 - SELinux problems when starting vpnc
SELinux problems when starting vpnc
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-19 00:21 EDT by Matěj Cepl
Modified: 2008-01-09 16:38 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.0.8-26
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-09 16:38:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a lot of confused information I got from my computer (7.92 KB, text/plain)
2007-10-19 00:21 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-10-19 00:21:45 EDT
Description of problem:
I have AVC denial when starting NetworkManager-vpnc (see attached output from
gnome-terminal).

I have generated this SELinux module which looks to make things working again:

module myvpncnamebind 1.0;

require {
        type inetd_t;
        type ircd_port_t;
        type vpnc_t;
        type ipsecnat_port_t;
        class tcp_socket name_bind;
        class udp_socket name_bind;
}

#============= inetd_t ==============
allow inetd_t ircd_port_t:tcp_socket name_bind;

#============= vpnc_t ==============
allow vpnc_t ipsecnat_port_t:udp_socket name_bind;

Version-Release number of selected component (if applicable):
[root@viklef matej]# rpm -qa \*bind\* \*vpnc\* \*selinux\*
selinux-policy-targeted-3.0.8-24.fc8
libselinux-devel-2.0.37-1.fc8
bind-libs-9.5.0-15.a6.fc8
selinux-policy-3.0.8-24.fc8
vpnc-0.5.1-1.fc8
rpcbind-0.1.4-11.fc8
libselinux-python-2.0.37-1.fc8
bind-9.5.0-15.a6.fc8
libselinux-2.0.37-1.fc8
bind-utils-9.5.0-15.a6.fc8
ypbind-1.20.4-2.fc8
NetworkManager-vpnc-0.7.0-0.3.svn2970.fc8

How reproducible:
100%

Steps to Reproduce:
1.run NetworkManager-vpnc
2.
3.
  
Actual results:
find AVC denial in /var/log/audit/audit.log

Expected results:
there shouldn't be one

Additional info:
Comment 1 Matěj Cepl 2007-10-19 00:21:45 EDT
Created attachment 232081 [details]
a lot of confused information I got from my computer
Comment 3 Matěj Cepl 2007-10-19 00:47:46 EDT
Somebody from the happy party around this bug maybe interested in bug 339191 as
well.
Comment 4 Tomas Mraz 2007-10-19 02:32:48 EDT
It seems that there are two mixed things together - I don't think that vpnc has
anything with inetd_t and ircd_port_t.
The other access of course should be allowed otherwise vpnc cannot work properly
behind NAT.
Comment 5 Matěj Cepl 2007-10-19 08:27:28 EDT
Tom, I am sorry that this bug went to you, but I was really not sure who of the
long list of possible candidates for this bug is at fault. I have finally
decided for vpnc (after all, that's what SELinux broke), but add a long list of
other people to Cc: hoping that somebdy will take over the bug, if it is his.

Concerning the first item, yes apparently only this policy is enough:

[root@viklef ~]# cat myvpncnamebind.te

module myvpncnamebind 2.0;

require {
        type vpnc_t;
        type ipsecnat_port_t;
        class udp_socket name_bind;
}

#============= vpnc_t ==============
allow vpnc_t ipsecnat_port_t:udp_socket name_bind;
[root@viklef ~]# 

The other rest of the problem is IMHO the problem with Bitlbee (IRC to
Jabber/MSN/AIM/Yahoo!/etc. gateway), which seems to work well with the other
half of the policy module:

module mybitlbee 1.0;

require {
        type inetd_t;
        type ircd_port_t;
        class tcp_socket name_bind;
}

#============= inetd_t ==============
allow inetd_t ircd_port_t:tcp_socket name_bind;
Comment 6 Daniel Walsh 2007-10-19 10:17:39 EDT
vpnc is fixed in selinux-policy-3.0.8-26.fc8

What tool are you using that is binding to ircd?
Comment 7 Matěj Cepl 2007-10-19 16:51:25 EDT
see my comment 5 -- it's bitlbee (packaged in Fedora as bitlbee).

URL         : http://www.bitlbee.org/
Summary     : IRC to other chat networks gateway
Description :
Bitlbee is an IRC to other chat networks gateway. Bitlbee can be used as
an IRC server which forwards everything you say to people on other chat
networks like ICQ, MSN, Jabber or Yahoo!

Basically it is a tool for geeks living in IRC all the time which allows them to
communicate with their wives on less geeky IM networks while still staying in
xchat. It is run as inetd service and from one side it looks like local IRC
daemon (so you can connect to it as to just another IRC network with xchat) and
from other sides it connects to particular IM networks. Quite cool, IMHO.
Comment 8 Robert Scheck 2007-10-20 13:02:39 EDT
Daniel, bitlbee currently uses xinetd to bind the IRC port, but the upcoming 
1.1 release will provide an own daemon and the possibility by using xinetd.

Note You need to log in before you can comment on or make changes to this bug.