Bug 1661065

Summary: SELinux prevents OpenVPN client from setting DNS server upon activation
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 29CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-17 02:17:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2018-12-20 03:11:43 UTC 
Description of problem:
I use OpenVPN, and I have configured my client to update /etc/resolv.conf upon establishing an OpenVPN connection.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.2-44.fc29.noarch
openvpn-2.4.6-3.fc29.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Copy /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.{up,down} to /etc/openvpn/client and set the scripts as executable.

2. Configure OpenVPN, including the following statements:

up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

These scripts use resolvconf to manipulate the DNS server used by the computers resolvers.

2. Start the OpenVPN client service

Actual results:

OpenVPN runs as: system_u:system_r:openvpn_t:s0

Logs: [...] Failed to set DNS configuration: Access denied

If I run "setenforce 0", then the computer logs the following:

Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc:  denied  { read } for  pid=4570 comm="resolvconf" name="environ" dev="proc" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc:  denied  { open } for  pid=4570 comm="resolvconf" path="/proc/1/environ" dev="proc" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc:  denied  { getattr } for  pid=4570 comm="resolvconf" path="/proc/1/sched" dev="proc" ino=35 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Comment 1 W. Michael Petullo 2018-12-20 03:17:21 UTC 
See also bug #1381413.
Comment 2 Lukas Vrabec 2019-01-10 16:44:12 UTC 
commit f3162415a28e558896b0ffeb702b8f46d12665ef (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 10 17:43:45 2019 +0100

    Allow openvpn_t domain to read systemd state BZ(1661065)
Comment 3 Fedora Update System 2019-01-13 15:45:26 UTC 
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 4 Fedora Update System 2019-01-14 03:03:35 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 5 Fedora Update System 2019-01-17 02:17:08 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.