4

I'm running an openvpn server and I want to use SELinux. When it's activated I see a few "denied" events in the logs. I've used audit2allow to create a '.te' file. My question is about these lines in the file.

#============= openvpn_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow openvpn_t unreserved_port_t:tcp_socket name_bind;

I understand 'nis_enabled' boolean will allow this and other context requests.
Where can I find exactly what this boolean will allow?

What would you choose to do, enable the boolean or the policy?

EDIT: Thank you @Michael Hampton. 

semanage port -a -t openvpn_t -p tcp <myVpnPort>
D.Fitz
  • 162
  • 1
  • 8

1 Answers1

5

You can use semanage boolean --list | grep nis to find a brief description on what it does and its status.

# semanage boolean -l | grep nis
nis_enabled                    (off  ,  off)  Allow nis to enabled
varnishd_connect_any           (off  ,  off)  Allow varnishd to connect any

You can find all the documentation here.

Edit: the OP indicated in a comment that specific info on what the booleans did was needed, so digging a bit deeper I found that 

sesearch -b nis_enabled -A | grep -i openvpn

was the preferred answer.

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27
  • I was looking for detailed information regarding individual booleans, like nis_enabled. – D.Fitz May 12 '19 at 19:55
  • 1
    ok, maybe this: sesearch -b nis_enabled -A | grep -i openvpn ? On a fedora 30 system I get plenty of details of what the boolean does to openvpn contexts – natxo asenjo May 13 '19 at 17:35
  • That's what I was looking for. Thank you! – D.Fitz May 20 '19 at 20:08
  • glad to help. I modified my original answer, if you think this is the correct one to your question, feel free to mark it as the right one ;-) – natxo asenjo May 20 '19 at 20:14