Bug 630408
Summary: | allow openvpn to attach/detach/change persistently opened tun0 device | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mr-4 <mr.dash.four> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-57.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-22 00:38:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mr-4
2010-09-05 12:26:35 UTC
Rawhide has optional_policy(` unconfined_attach_tun_iface(openvpn_t) ') which I will add. If you execute # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule i mypol.pp does it work? > type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for
> pid=1846 comm="iptables"
> scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:mysqld_t:s0 tclass=packet
I guess this AVC is related with the #630476 bug.
(In reply to comment #2) > > type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for > > pid=1846 comm="iptables" > > scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:mysqld_t:s0 tclass=packet > > I guess this AVC is related with the #630476 bug. Humble apologies! Indeed it is, though you may close this bug (#630476) as I found a solution, which is unrelated to SELinux itself, but to the policy I was writing. My mistake was that I used a type without specifying an associated attribute, which is similar or has an alias to the "packet_type" attribute, hence why SELinux gets mad. I used "type sshd_packet_t;" instead of "type sshd_packet_t, packet_type;". Once I corrected that all went well and iptables was allowed to do its job, so this "bug" may now be closed. As far as the "relabelto" on openvpn goes - it happens when a shutdown script is executed which uses "openvpn --rmtun". As this shutdown script is, in most cases, executed under uid/gid with less privileges than root the removal/resetting of the device - which is persistent - is not allowed. (In reply to comment #1) > Rawhide has > > optional_policy(` > unconfined_attach_tun_iface(openvpn_t) > ') > > which I will add. > > > If you execute > > # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol > # semodule i mypol.pp > > does it work? I am not certain how "unconfined_attach_tun_iface" would be affected if I use labelled packets. Could you expand on what "unconfined_attach_tun_iface(openvpn_t)" does as I am not using rawhide (my selinux is on -51 - the latest policy which comes out of my repo - I am on FC13). Fixed in selinux-policy-3.7.19-55.fc13. selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13 selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13 selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |