Bug 820388 - Need to be able to allow openvpn to connect to ldap
Need to be able to allow openvpn to connect to ldap
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-09 15:43 EDT by Orion Poplawski
Modified: 2012-05-10 12:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-10 04:07:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2012-05-09 15:43:39 EDT
Description of problem:

The package openvpn-auth-ldap allows openvpn to authenticate against an LDAP server.  However, selinux prevents this with:

type=AVC msg=audit(1336591913.512:2450): avc:  denied  { name_connect } for  pid=6842 comm="openvpn" dest=389 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-84.fc16.noarch

I've added my own module for the time being.
Comment 1 Miroslav Grepl 2012-05-10 04:07:25 EDT
I see

#============= openvpn_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, allow_ypbind

allow openvpn_t ldap_port_t:tcp_socket name_connect;
Comment 2 Orion Poplawski 2012-05-10 11:33:30 EDT
Thanks.  Where can I find such information for myself?
Comment 3 Daniel Walsh 2012-05-10 11:59:20 EDT
Orion run the AVC through audit2allow it should tell you what miroslav pasted.

Although I am thinking this boolean is more for setting up the entire system with pam_ldap, rather then using sssd.  So we might want to allow openvpn to connect to ldap outside of this boolean.
Comment 4 Orion Poplawski 2012-05-10 12:11:36 EDT
Hm, I don't see that:

[root@inferno ~]# audit2allow
type=AVC msg=audit(1336591913.512:2450): avc:  denied  { name_connect } for 
pid=6842 comm="openvpn" dest=389 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket


[root@inferno ~]# 
Other selinux packages needed?  This is a stripped down system.

Yeah, I'm a little concerned about the boolean.  The system running openvpn is our firewall (surprise!) which does *not* authenticate against ldap in general.  Although I doubt there is much danger from turning it on.

Note You need to log in before you can comment on or make changes to this bug.