Bug 768589 - policy too strict for openvpn
Summary: policy too strict for openvpn
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-17 09:12 UTC by Ferry Huberts
Modified: 2013-05-20 11:31 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-18 20:31:18 UTC
Type: ---

Attachments (Terms of Use)
TE (371 bytes, text/plain)
2011-12-17 09:12 UTC, Ferry Huberts 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Ferry Huberts 2011-12-17 09:12:33 UTC 
Created attachment 548108 [details]
TE

Description of problem:
I have a VPN setup in which the clients must connect to a non-default port.
The current policy does not allow that.

Version-Release number of selected component (if applicable):
selinux-policy.noarch 3.10.0-64.fc16

How reproducible:
always

Steps to Reproduce:
1. in network manager setup an OpenVPN connection to a non-default (custom) port
2. try to connect
3. permission denied (in /var/log/messages), avc:
type=AVC msg=audit(1324070540.199:1360): avc:  denied  { name_connect } for  pid=23236 comm="openvpn" dest=XXXXX scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

  
Actual results:
avc

Expected results:
vpn connection

Additional info:
I use a tcp connection, so the attached te mentions that as well


maybe a policy boolean that is switched when a custom port is used,
or maybe a new piece of policy for the used custom port (see attached),
or maybe just loosen up the policy?
Comment 1 Miroslav Grepl 2011-12-18 20:31:18 UTC 
Yes, we allow openvpn to connect to these ports

# sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT

If you set up your own port, you will need to add a local policy. sealert should tell you all options which you have.
Comment 2 Ferry Huberts 2011-12-18 20:46:22 UTC 
(In reply to comment #1)
> Yes, we allow openvpn to connect to these ports

what ports? I had to add my TE explicitly...

> 
> # sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT
> 

which gives me:
   allow openvpn_t openvpn_port_t : tcp_socket { name_bind name_connect } ; 
   allow openvpn_t dns_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
   allow openvpn_t http_cache_port_t : tcp_socket name_connect ; 
   allow openvpn_t http_port_t : tcp_socket { name_bind name_connect } ; 
   allow openvpn_t ephemeral_port_t : tcp_socket name_connect ; 
   allow openvpn_t tor_socks_port_t : tcp_socket name_connect ; 
   allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [ allow_kerberos ]
ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ allow_kerberos ]


(with my own policy added!)


> If you set up your own port, you will need to add a local policy. sealert
> should tell you all options which you have.

yeah, that's what I said ;-)

I think NM should tell me about it and (even better) do it for me.

the actual BUG is that NM allows you to set it all up and then when you try to use it, it _silently_ fails...

It's a major usability issue/bug.

please reopen
Comment 3 Dimitrios Apostolou 2013-05-20 11:31:20 UTC 
Seconded:


the actual BUG is that NM allows you to set it all up and then when you try to use it, it _silently_ fails...

It's a major usability issue/bug.

please reopen
Note You need to log in before you can comment on or make changes to this bug.