Bug 577520

Summary: SELinux is preventing /usr/sbin/openvpn "write" access on /tmp
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dcbw, dwalsh, huzaifas, mgrepl, nalin, steve
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-108.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-09 01:24:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2010-03-27 18:47:05 UTC 
Using selinux-policy-targeted-3.6.32-103.fc12.noarch, I get the following OpenVPN related SELinux denials when I useusername/password authentication in addition to certificates with OpenVPN.  My users are authenticated via PAM -> Kerberos.


node=chicago.messinet.com type=AVC msg=audit(1269713804.993:312): avc:  denied  { write } for  pid=7495 comm="openvpn" name="tmp" dev=sdd3 ino=4276369 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=chicago.messinet.com type=AVC msg=audit(1269713804.993:312): avc:  denied  { add_name } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=chicago.messinet.com type=AVC msg=audit(1269713804.993:312): avc:  denied  { create } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1269713804.993:312): avc:  denied  { read write open } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713804.993:312): arch=c000003e syscall=2 success=yes exit=0 a0=febdf5 a1=c2 a2=180 a3=1 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)



node=chicago.messinet.com type=AVC msg=audit(1269713804.994:313): avc:  denied  { remove_name } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=chicago.messinet.com type=AVC msg=audit(1269713804.994:313): avc:  denied  { unlink } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713804.994:313): arch=c000003e syscall=87 success=yes exit=0 a0=fd6610 a1=ffffffff a2=1 a3=7fffca9e17c0 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)


node=chicago.messinet.com type=AVC msg=audit(1269713805.155:314): avc:  denied  { create } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1269713805.155:314): avc:  denied  { read write open } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713805.155:314): arch=c000003e syscall=2 success=yes exit=4294967424 a0=fd6610 a1=2c2 a2=180 a3=7fffca9e1740 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)


node=chicago.messinet.com type=AVC msg=audit(1269713805.157:317): avc:  denied  { getattr } for  pid=7495 comm="openvpn" path="/tmp/krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713805.157:317): arch=c000003e syscall=5 success=yes exit=4294967424 a0=0 a1=7fffca9e1ce0 a2=7fffca9e1ce0 a3=5858585858585f items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)



node=chicago.messinet.com type=AVC msg=audit(1269713805.157:315): avc:  denied  { lock } for  pid=7495 comm="openvpn" path="/tmp/krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713805.157:315): arch=c000003e syscall=72 success=yes exit=0 a0=0 a1=7 a2=7fffca9e19e0 a3=7fffca9e17c0 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)



node=chicago.messinet.com type=AVC msg=audit(1269713805.157:316): avc:  denied  { setattr } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713805.157:316): arch=c000003e syscall=91 success=yes exit=0 a0=0 a1=180 a2=0 a3=7fffca9e1c40 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)



node=chicago.messinet.com type=AVC msg=audit(1269713805.166:318): avc:  denied  { unlink } for  pid=7495 comm="openvpn" name="krb5cc_483_ZvKCdF" dev=sdd3 ino=4276381 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269713805.166:318): arch=c000003e syscall=87 success=yes exit=0 a0=fd63d0 a1=0 a2=328e774ed8 a3=8 items=0 ppid=1297 pid=7495 auid=4294967295 uid=483 gid=477 euid=483 suid=483 fsuid=483 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-03-29 13:31:46 UTC 
Can you kinit before running openvpn?  Or is the kinit part of the openvpn process?
Comment 2 Daniel Walsh 2010-03-29 13:41:22 UTC 
This matters because I can either label the kerberos tickets as being used only by the openvpn tool or by users also.
Comment 3 Anthony Messina 2010-03-29 22:11:22 UTC 
This error occurs only on the server, which is set up as a many client to one server.  I am using the openvpn-auth-pam.so plugin, as provided by the package.  My PAM config points to Kerberos.  Each client has a username principle in Kerberos.  These errors did not exist prior to the last update:

~]# rpm -q --changelog pam_krb5-2.3.7-3.fc12.x86_64 | more
* Mon Mar 08 2010 Nalin Dahyabhai <nalin> - 2.3.7-3
- pull down patch from devel to create a ccache for use while calling
  krb5_kuserok (#563442)


Here's the password auth plugin usage in the openvpn config:

# Username/Password authentication via the
# openvpn-auth-pam.so plugin
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
Comment 4 Daniel Walsh 2010-03-30 13:06:34 UTC 
And to think Nalin sits right next to me...

Miroslav,

Add

type openvpn_tmp_t;
files_tmp_file(openvpn_tmp_

manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
Comment 5 Miroslav Grepl 2010-03-30 14:25:34 UTC 
Fixed in selinux-policy-3.6.32-108.fc12
Comment 6 Fedora Update System 2010-03-30 19:47:45 UTC 
selinux-policy-3.6.32-108.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
Comment 7 Fedora Update System 2010-04-01 01:53:42 UTC 
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
Comment 8 Fedora Update System 2010-04-09 01:23:21 UTC 
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.