Descriptionfrancois.poirotte
2023-08-02 06:38:39 UTC
Description of problem:
This happened after I connected to an openconnect VPN using the NetworkManager applet.
Audit logs:
18869:type=AVC msg=audit(1690957704.598:255609): avc: denied { read write } for pid=1285918 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1
18870:type=AVC msg=audit(1690957704.598:255610): avc: denied { open } for pid=1285918 comm="openconnect" path="/dev/vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1
18871:type=AVC msg=audit(1690957704.598:255611): avc: denied { ioctl } for pid=1285918 comm="openconnect" path="/dev/vhost-net" dev="devtmpfs" ino=592 ioctlcmd=0xaf01 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1
SELinux is preventing openconnect from read, write access on the chr_file vhost-net.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that openconnect should be allowed read write access on the vhost-net chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openconnect' --raw | audit2allow -M my-openconnect
# semodule -X 300 -i my-openconnect.pp
Additional Information:
Source Context system_u:system_r:vpnc_t:s0
Target Context system_u:object_r:vhost_device_t:s0
Target Objects vhost-net [ chr_file ]
Source openconnect
Source Path openconnect
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 6.3.8-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023
x86_64
Alert Count 2
First Seen 2023-07-31 10:44:40 CEST
Last Seen 2023-08-02 08:28:24 CEST
Local ID fcae3e8d-51da-4cd2-bac2-c23d4742312b
Raw Audit Messages
type=AVC msg=audit(1690957704.598:255609): avc: denied { read write } for pid=1285918 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1
Hash: openconnect,vpnc_t,vhost_device_t,chr_file,read,write
Version-Release number of selected component:
selinux-policy-targeted-38.21-1.fc38.noarch
Additional info:
reporter: libreport-2.17.11
component: selinux-policy
type: libreport
hashmarkername: setroubleshoot
kernel: 6.3.8-200.fc38.x86_64
package: selinux-policy-targeted-38.21-1.fc38.noarch
component: selinux-policy
Comment 1francois.poirotte
2023-08-02 06:38:41 UTC
Description of problem: This happened after I connected to an openconnect VPN using the NetworkManager applet. Audit logs: 18869:type=AVC msg=audit(1690957704.598:255609): avc: denied { read write } for pid=1285918 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1 18870:type=AVC msg=audit(1690957704.598:255610): avc: denied { open } for pid=1285918 comm="openconnect" path="/dev/vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1 18871:type=AVC msg=audit(1690957704.598:255611): avc: denied { ioctl } for pid=1285918 comm="openconnect" path="/dev/vhost-net" dev="devtmpfs" ino=592 ioctlcmd=0xaf01 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1 SELinux is preventing openconnect from read, write access on the chr_file vhost-net. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that openconnect should be allowed read write access on the vhost-net chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'openconnect' --raw | audit2allow -M my-openconnect # semodule -X 300 -i my-openconnect.pp Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:object_r:vhost_device_t:s0 Target Objects vhost-net [ chr_file ] Source openconnect Source Path openconnect Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023 x86_64 Alert Count 2 First Seen 2023-07-31 10:44:40 CEST Last Seen 2023-08-02 08:28:24 CEST Local ID fcae3e8d-51da-4cd2-bac2-c23d4742312b Raw Audit Messages type=AVC msg=audit(1690957704.598:255609): avc: denied { read write } for pid=1285918 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=592 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=1 Hash: openconnect,vpnc_t,vhost_device_t,chr_file,read,write Version-Release number of selected component: selinux-policy-targeted-38.21-1.fc38.noarch Additional info: reporter: libreport-2.17.11 component: selinux-policy type: libreport hashmarkername: setroubleshoot kernel: 6.3.8-200.fc38.x86_64 package: selinux-policy-targeted-38.21-1.fc38.noarch component: selinux-policy