528040 – openconnect policy problem with users' certificates

Bug 528040 - openconnect policy problem with users' certificates

Summary: openconnect policy problem with users' certificates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-08 17:19 UTC by David Woodhouse
Modified:	2010-01-19 19:34 UTC (History)
CC List:	0 users
Fixed In Version:	3.6.12-93.fc11
Clone Of:
Clones:	576991 (view as bug list)
Environment:
Last Closed:	2010-01-19 19:34:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Woodhouse 2009-10-08 17:19:02 UTC

Openconnect is a VPN client. It works with HTTP authentication. First you authenticate using a certificate and/or password, and you're rewarded with an HTTP cookie. Then, you make the actual connection, using that cookie.

Those two operations can be done all at once by the command line openconnect client, or it can be split into two stages.

When we use the NetworkManager support, it's done in two stages -- the bit which accesses the user's certificate runs in the user's session and just passes the HTTP cookie over dbus to the nm-openconnect-service. And all is well.

However, when users attempt to use the command line client manually, selinux prevents it from accessing the certificate in their home directory. The openconnect binary is switched to the vpnc_t context when it starts, and that prevents access to the user's files.

What's the best way to fix this?

Really, we only want openconnect to transition into the vpnc_t context _after_ the authentication has happened. Is that possible?

Comment 1 Daniel Walsh 2009-10-20 20:59:46 UTC

David didn't we have another bug where we discussed this?

Comment 2 David Woodhouse 2009-10-21 22:23:29 UTC

We discussed it in the review bug for openconnect, but mostly in email.

Comment 3 Daniel Walsh 2009-10-22 14:59:33 UTC

Well in Rawhide we have this mapping

/home/[^/]*/\.cert(/.*)?	unconfined_u:object_r:home_cert_t:s0


And
   allow vpnc_t home_cert_t : file { ioctl read getattr lock open } ; 
   allow vpnc_t home_cert_t : dir { ioctl read getattr lock search open } ; 
   allow vpnc_t home_cert_t : lnk_file { read getattr } ; 




Is that enough for now?

Comment 4 David Woodhouse 2009-10-22 17:10:43 UTC

Yes, I believe so (as discussed in IRC a week or two ago).

For F-11, I'll make our certificate-downloading scripts run
'chcon -t home_cert_t -r ~/.cert' and that ought to make it work too.

Thanks.

Comment 5 Miroslav Grepl 2010-01-06 15:36:40 UTC

Fixed in selinux-policy-3.6.12-93.fc11.noarch

Comment 6 Fedora Update System 2010-01-08 14:30:52 UTC

selinux-policy-3.6.12-93.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-93.fc11

Comment 7 Fedora Update System 2010-01-12 23:41:25 UTC

selinux-policy-3.6.12-93.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0446

Comment 8 Fedora Update System 2010-01-19 19:34:23 UTC

selinux-policy-3.6.12-93.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.