Bug 1667572

Summary: SELinux is preventing resolvconf from 'write' accesses on the directory resolvconf.
Product: [Fedora] Fedora Reporter: Ahmed <ahmed>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:820a09fde9ebd514ce284d28143ee14ecea73330b21a03bcdc465f15a9c3ec9d;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.2-49.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-18 02:04:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ahmed 2019-01-18 20:52:41 UTC 
Description of problem:
I am using the app /usr/sbin/resolvconf (from the package openresolve: https://roy.marples.name/projects/openresolv)
to prevent DNS-leaking with OpenVPN on Linux Fedora29.
However SElinux deny read/write on some directories and DNS-leaking occures.
Here is openvpn log:
[ahmed@localhost ~]$ systemctl status openvpn-client@sky -l
● openvpn-client - OpenVPN tunnel for sky
   Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-01-18 22:10:38 EET; 33min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 4670 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 4404)
   Memory: 3.8M
   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client
           └─4670 /usr/sbin/openvpn --suppress-timestamps --nobind --config sky.conf

янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip addr add dev tun0 192.168.17.4/24 broadcast 192.168.17.255
янв 18 22:10:41 localhost.localdomain openvpn[4670]: /etc/openvpn/update-resolv-conf.sh tun0 1500 1554 192.168.17.4 255.255.255.0 init
янв 18 22:10:41 localhost.localdomain openvpn[4670]: dhcp-option DNS 208.67.220.222
янв 18 22:10:41 localhost.localdomain openvpn[4670]: dhcp-option DNS 208.67.222.220
янв 18 22:10:41 localhost.localdomain openvpn[4670]: Cannot write to /run/resolvconf/lock
янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 127.0.0.1/32 via 192.168.1.1
янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 0.0.0.0/1 via 192.168.17.1
янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 128.0.0.0/1 via 192.168.17.1
янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 185.159.131.116/32 via 192.168.1.1
янв 18 22:10:41 localhost.localdomain openvpn[4670]: Initialization Sequence Completed

And here is script update-resolv-conf.sh working with openresolve:
## RESOLVCONF=/usr/sbin/resolvconf
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
RESOLVCONF=$(type -p resolvconf)

case $script_type in

up)
  for optionname in ${!foreign_option_*} ; do
    option="${!optionname}"
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
      fi
    fi
  done
  R=""
  if [ "$IF_DNS_SEARCH" ]; then
    R="search "
    for DS in $IF_DNS_SEARCH ; do
      R="${R} $DS"
    done
  R="${R}
"
  fi

  for NS in $IF_DNS_NAMESERVERS ; do
    R="${R}nameserver $NS
"
  done
  #echo -n "$R" | $RESOLVCONF -x -p -a "${dev}"
  echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet"
  ;;
down)
  $RESOLVCONF -d "${dev}.inet"
  ;;
esac

# Workaround / jm 
# force exit with no errors. Due to an apparent conflict with the Network Manager
# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
# action correctly and OpenVPN shuts down.
exit 0
SELinux is preventing resolvconf from 'write' accesses on the каталог resolvconf.

*****  Plugin catchall (100. confidence) suggests   **************************

Если вы считаете, что resolvconf должно быть разрешено write доступ к resolvconf directory по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
разрешить этот доступ сейчас, выполнив: # ausearch -c 'resolvconf'--raw | audit2allow -M my-resolvconf # semodule -X 300 -i my-resolvconf.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:vpnc_var_run_t:s0
Target Objects                resolvconf [ dir ]
Source                        resolvconf
Source Path                   resolvconf
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-47.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.15-300.fc29.x86_64 #1 SMP Mon
                              Jan 14 16:32:35 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-01-18 22:10:41 EET
Last Seen                     2019-01-18 22:10:41 EET
Local ID                      66ef3809-cb33-4ab3-ba0d-b4300802870f

Raw Audit Messages
type=AVC msg=audit(1547842241.228:311): avc:  denied  { write } for  pid=4732 comm="resolvconf" name="resolvconf" dev="tmpfs" ino=37655 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:vpnc_var_run_t:s0 tclass=dir permissive=0


Hash: resolvconf,openvpn_t,vpnc_var_run_t,dir,write

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.15-300.fc29.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2019-01-20 17:57:48 UTC 
*** Bug 1667284 has been marked as a duplicate of this bug. ***
Comment 2 Ahmed 2019-01-22 11:27:43 UTC 
Description of problem:
Openresolve error

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.15-300.fc29.x86_64
type:           libreport
Comment 3 Lukas Vrabec 2019-01-22 17:23:57 UTC 
commit 00357ee6b30abe3af9c97164467837ea4d246042 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 22 18:23:18 2019 +0100

    Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
Comment 4 Fedora Update System 2019-02-15 07:59:35 UTC 
selinux-policy-3.14.2-49.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7c13db036c
Comment 5 Fedora Update System 2019-02-16 03:05:02 UTC 
selinux-policy-3.14.2-49.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7c13db036c
Comment 6 Fedora Update System 2019-02-18 02:04:05 UTC 
selinux-policy-3.14.2-49.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.