Bug 1165110

Summary: openvpn broken in selinux-policy-3.13.1-92.fc21.noarch
Product: [Fedora] Fedora Reporter: James Patterson <jamespatterson>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: andreasfleig, awilliam, dominick.grift, drepper, drjohnson1, dwalsh, gareth, jsmith.fedora, junk, lvrabec, mgrepl, mruckman, ngc2997, nphilipp, pbonzini, plautrba, rui.gouveia, satellitgo, sbose, tmlcoch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException
Fixed In Version: selinux-policy-3.13.1-99.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-03 17:15:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043131    

Description James Patterson 2014-11-18 11:19:14 UTC
Description of problem:


Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                NetworkManager [ dir ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          host
Source RPM Packages           openvpn-2.3.4-4.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-92.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host
Platform                      Linux host 3.17.3-300.fc21.x86_64 #1 SMP Fri Nov
                              14 23:36:19 UTC 2014 x86_64 x86_64
Alert Count                   11
First Seen                    2014-11-17 12:31:02 CET
Last Seen                     2014-11-17 12:33:06 CET
Local ID                      a9ad2518-134e-4058-a3b5-4da330e61e6b

Raw Audit Messages
type=AVC msg=audit(1416223986.24:661): avc:  denied  { search } for  pid=4465 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=21098 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1416223986.24:661): arch=x86_64 syscall=bind success=no exit=EACCES a0=4 a1=7f35cba97464 a2=6e a3=21 items=0 ppid=4464 pid=4465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,NetworkManager_var_run_t,dir,search


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2014-11-19 12:50:55 UTC
commit 802bb95180f5b10ddb78a46a4b088997ce6314df
Author: Miroslav Grepl <mgrepl>
Date:   Tue Nov 18 14:54:30 2014 +0100

    Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.

Comment 2 Lukas Vrabec 2014-11-19 13:50:19 UTC
*** Bug 1165572 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2014-11-19 13:50:34 UTC
*** Bug 1165574 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2014-11-19 13:50:45 UTC
*** Bug 1165575 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2014-11-19 13:51:01 UTC
*** Bug 1164182 has been marked as a duplicate of this bug. ***

Comment 6 Tomas Mlcoch 2014-11-19 13:59:53 UTC
Description of problem:
I tried to connect to Red Hat VPN by Network Manager applet in Gnome 3 as usual (via OpenVPN), but this time, SELinux blocked it.

$ rpm -q libselinux selinux-policy selinux-policy-minimum NetworkManager NetworkManager-openvpn openvpn
libselinux-2.3-5.fc21.x86_64
selinux-policy-3.13.1-92.fc21.noarch
package selinux-policy-minimum is not installed
NetworkManager-0.9.10.0-13.git20140704.fc21.x86_64
NetworkManager-openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64
openvpn-2.3.4-4.fc21.x86_64

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 7 Nils Philippsen 2014-11-20 08:19:59 UTC
Description of problem:
Tried to connect to an OpenVPN using the NetworkManager GUI.

Version-Release number of selected component:
selinux-policy-3.13.1-98.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 8 Nils Philippsen 2014-11-20 08:22:29 UTC
I just installed -98 from koji in the hopes that it would solve my NM/OpenVPN connection issues, but ran into the following. I'm not sure why setroubleshoot suggests enabling 'daemons_enable_cluster_mode' (I'm not familiar with that boolean), maybe it allows the access as a side-effect. Here's the local module I installed on top of -98 with which NM can use OpenVPN again:

--- 8< --- localnmovpn.te ---
module localnmovpn 1.0;

require {
	type openvpn_t;
	type NetworkManager_t;
	class unix_stream_socket connectto;
}

#============= NetworkManager_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow NetworkManager_t openvpn_t:unix_stream_socket connectto;
--- >8 ----------------------

==========================================

SELinux is preventing /usr/libexec/nm-openvpn-service from 'connectto' accesses on the unix_stream_socket /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to enable cluster mode for daemons.
Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.
You can read 'openvpn_selinux' man page for more details.
Do
setsebool -P daemons_enable_cluster_mode 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that nm-openvpn-service should be allowed connectto access on the nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nm-openvpn-serv /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:openvpn_t:s0
Target Objects                /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-
                              96ef-7b1a58e2137f [ unix_stream_socket ]
Source                        nm-openvpn-serv
Source Path                   /usr/libexec/nm-openvpn-service
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-
                              openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-98.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.3-300.fc21.x86_64 #1 SMP Fri
                              Nov 14 23:36:19 UTC 2014 x86_64 x86_64
Alert Count                   63
First Seen                    2014-11-19 00:20:33 CET
Last Seen                     2014-11-20 09:02:59 CET
Local ID                      bd395b04-fcb9-4699-9db7-949941da0a88

Raw Audit Messages
type=AVC msg=audit(1416470579.476:494): avc:  denied  { connectto } for  pid=3206 comm="nm-openvpn-serv" path="/run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=unix_stream_socket permissive=0


type=SYSCALL msg=audit(1416470579.476:494): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7ffffed4fbc0 a2=6e a3=1 items=0 ppid=1 pid=3206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-openvpn-serv exe=/usr/libexec/nm-openvpn-service subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: nm-openvpn-serv,NetworkManager_t,openvpn_t,unix_stream_socket,connectto

Comment 9 Sumit Bose 2014-11-20 10:17:32 UTC
I can confirm that with selinux-policy-3.13.1-98 and daemons_enable_cluster_mode on, my OpenVPN issues are gone.

If daemons_enable_cluster_mode if off, I see the same warnings as Nils.

Comment 10 Lukas Vrabec 2014-11-20 10:29:27 UTC
commit 7f138069a05a7940b0da1578d12f703d978b7020
Author: Lukas Vrabec <lvrabec>
Date:   Thu Nov 20 11:27:57 2014 +0100

    Allow NetworkManager stream connect on openvpn. BZ(1165110)

Comment 11 Sumit Bose 2014-11-20 11:55:47 UTC
Thank you, with selinux-policy-3.13.1-99.fc21 OpenVPN works even if daemons_enable_cluster_mode is off.

Comment 12 Fedora Update System 2014-11-21 12:24:10 UTC
selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21

Comment 13 Rui Gouveia 2014-11-24 10:08:11 UTC
Description of problem:
Trying to connect office VPN.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 14 Lukas Vrabec 2014-11-24 10:46:53 UTC
selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21

Comment 15 Adam Williamson 2014-11-28 01:32:18 UTC
Proposing as a freeze exception - without this, people will hit AVCs trying to setup OpenVPN connections from the Workstation live.

Comment 16 Dennis Gilmore 2014-11-28 01:36:09 UTC
+1 to Freeze Exception

Comment 17 d. johnson 2014-11-28 02:24:12 UTC
+1 to Freeze Exception

Ensuring that a user can VPN from the live image is a common use case.

Comment 18 Adam Williamson 2014-11-28 02:28:58 UTC
I figure this is fairly non-controversial so +3 from me, Dennis and d johnson (another QA folk) seems like enough to say AcceptedFreezeException, let's get it in RC1.

Comment 19 Mike Ruckman 2014-11-28 02:40:27 UTC
+1 FE for me as well.

Comment 20 Ulrich Drepper 2014-11-28 12:17:35 UTC
Description of problem:
I set up openvpn after I installed the machine.  Using the networkmanager GUI (Gnome) worked, I could start and stop the connection.  Now after some updates and/or reboots I get the SELinux error.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-300.fc21.x86_64
type:           libreport

Comment 21 Ulrich Drepper 2014-11-28 12:26:38 UTC
3.13.1-100 indeed seems to fix the issue and nothing negative is observed either.

Comment 22 Lukas Vrabec 2014-11-28 13:00:58 UTC
Everything should be fine with this build selinux-policy-3.13.1-99.fc21.
http://koji.fedoraproject.org/koji/buildinfo?buildID=594484

Comment 23 Adam Williamson 2014-11-29 04:08:32 UTC
yes, this was nominated as FE so we could put -99 in Final RC1, basically.

Comment 24 Jared Smith 2014-11-30 13:45:05 UTC
Description of problem:
Trying to connect with OpenVPN

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 25 Jared Smith 2014-11-30 13:49:09 UTC
Description of problem:
Attempting to connect to a VPN using NetworkManager-OpenVPN

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 26 Fedora Update System 2014-12-03 17:15:32 UTC
selinux-policy-3.13.1-99.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Gareth Williams 2014-12-07 22:18:11 UTC
Description of problem:
Attempted to connect to OpenVPN server from NetworkManger and SELinux Alert popped up.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-300.fc21.x86_64
type:           libreport