I did a clean install yesterday of Fedora 12 x86_64 and can't get openvpn started on port 443. I've tried selinux-policy-targeted-3.6.32-63.fc12.noarch and selinux-policy-targeted-3.6.32-66.fc12.noarch from updates-testing and neither one works. The strange thing is that I've got another F12 system where this works perfectly and I don't remember having to do anything special policy wise. The working system was installed a month ago and has had updates applied regularly. The raw audit message is type=AVC msg=audit(1262955465.317:27): avc: denied { name_bind } for pid=2675 comm="openvpn" src=443 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket I've tried relabeling the system but that didn't help. It would also be nice if the default policy had /etc/openvpn/openvpn-status.log labeled as system_u:object_r:openvpn_etc_rw_t:s0 instead of system_u:object_r:openvpn_etc_t:s0 as it is now. I believe it is default for this file to exist in /etc/openvpn but need to be writable just like ipp.txt.
I have no idea why that would work on the other machine. The only ports openvpn_t is allowed to bind to are labeled openvpn_port_t sesearch -A -s openvpn_t -c tcp_socket -p name_bind -C Found 3 semantic av rules: allow openvpn_t openvpn_port_t : tcp_socket { name_bind name_connect } ; DT allow openvpn_t rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ] DT allow openvpn_t port_t : tcp_socket { name_bind name_connect } ; [ allow_ypbind ] Why isn't the openvpn-status.log located in /var/log?
I just found out how it works on the older system - the process domain for openvpn was set to permissive. I checked all customizations for booleans, network ports, etc. and didn't see anything so I thought it was default. Chalk it up to inexperience with the ever evolving (for the better!) selinux tools. So is the proper way to deal with this is to relabel 443 to openvpn_port_t? There's no way for dual citizenship (httpd_port_t and openvpn_port_t) for 443? I can see how that might not make sense to some degree as both can't use the port at the same time. I don't know why the status file is written to /etc/openvpn. I guess because all the default server config files have it there. Moving it to /var/log seems to work fine so no-op there.
I think adding a custom policy module is the correct way, allow openvpn_t to bind to http_port_t. # grep name_bind /var/log/audit/audit.log | audit2allow -m myopenvpn # semodule -i myopenvpn.pp Is this a custom installation or is this a common way to setup openvpn?
I think it's fairly common to have openvpn run on port 443. It works around restricted firewall setups that only allow web traffic.
Miroslav, can you add this access. corenet_tcp_bind_http_port(openvpn_t)
Fixed in selinux-policy-3.6.32-69.fc12
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.