Bug 558402
| Summary: | SELinux is preventing /usr/sbin/openvpn "[open|lock|read]" access on /var/run/utmp | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-33.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-07-06 17:09:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Miroslav add init_read_utmp(openvpn_t) init_dontaudit_write_utmp(openvpn_t) Fixed in selinux-policy-3.6.32-78.fc12 selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12 selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207 selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. Reopening. This issue has crep up again in fc13:
selinux-policy-targeted-3.7.19-23.fc13.noarch
node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3714): avc: denied { read } for pid=1320 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3714): avc: denied { open } for pid=1320 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
node=chicago.messinet.com type=SYSCALL msg=audit(1277324855.50:3714): arch=c000003e syscall=2 success=yes exit=5 a0=3e9eb42fa6 a1=80000 a2=3e9eb42fa6 a3=fffffffffffffc6b items=0 ppid=1 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3715): avc: denied { lock } for pid=1320 comm="openvpn" path="/var/run/utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
node=chicago.messinet.com type=SYSCALL msg=audit(1277324855.50:3715): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=7 a2=7fffa135a4c0 a3=8 items=0 ppid=1 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
Fixed in selinux-policy-3.7.19-32.fc13 selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |
Using OpenVPN and the password module, I get the following SELinux denials for open, lock and read on /var/run/utmp: node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2260): avc: denied { read } for pid=1285 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2260): avc: denied { open } for pid=1285 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1264407767.959:2260): arch=c000003e syscall=2 success=yes exit=5 a0=328e53d6dc a1=80000 a2=328e53d6dc a3=fffffffffffffa2b items=0 ppid=1 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2261): avc: denied { lock } for pid=1285 comm="openvpn" path="/var/run/utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1264407767.959:2261): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=7 a2=7fff8e5184d0 a3=8 items=0 ppid=1 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)