Bug 755172 - permit openvpn to access to tor socks port
Summary: permit openvpn to access to tor socks port
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-19 10:11 UTC by Michael S.
Modified: 2011-12-06 01:05 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-64.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 01:05:25 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michael S. 2011-11-19 10:11:09 UTC 
openvpn network manager plugin permit to connect to a socks server ( or http ), and so does openvpn. yet, it seems selinux prevent connexion to port labelled tor_t as seen in this avc :

[root@liliana selinux]# grep 1321695318.818:1969 /var/log/audit/audit.log  
type=AVC msg=audit(1321695318.818:1969): avc:  denied  { name_connect } for  pid=9389 comm="openvpn" dest=9050 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1321695318.818:1969): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff43f1fbb8 a2=10 a3=0 items=0 ppid=9376 pid=9389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
Comment 1 Michael S. 2011-11-19 12:13:54 UTC 
Mhh, it seems that I left several important point. 

What I attempted to do is to use openvpn over tor, with a server listening on port 443/tcp. The problem is due to some DPI gateway preventing me to using openvpn ( I do not have much more info on the network, that's wifi for some free software events in south of france, and the admin are not here ). So I fired tor in regular client mode ( ie, default configuration ), and said to network-manager to use a socks proxy for openvpn, on localhost 9050. Tor open a tcp connexion on port 9050, and speak socks5 protocol. 

So for more granularity, maybe the different type of port should be splitted, ie tor_socks_port_t, etc, so we can let openvpn connect to it, but not to the others ( openvpn or others, since polipo or polipo for example can also connect to tor with socks ).
Comment 2 Daniel Walsh 2011-11-23 16:28:20 UTC 
You believe that port 9050 should be labeled socks_port_t and then allow all apps that can currently use tor_port_t could then use socks_port_t, correct?
Comment 3 Michael S. 2011-11-23 22:24:58 UTC 
Yep, sorry if I was not clear :/
Comment 4 Daniel Walsh 2011-11-29 01:45:46 UTC 
Miroslav add

8c23816640766f435f36d27add6cb18885e18aa1

to RHEL6 and F16 policy.
Comment 5 Miroslav Grepl 2011-11-29 11:30:54 UTC 
Added.
Comment 6 Fedora Update System 2011-12-02 13:15:37 UTC 
selinux-policy-3.10.0-64.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-64.fc16
Comment 7 Fedora Update System 2011-12-04 02:31:41 UTC 
Package selinux-policy-3.10.0-64.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-64.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16698/selinux-policy-3.10.0-64.fc16
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2011-12-06 01:05:25 UTC 
selinux-policy-3.10.0-64.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.