Bug 670460
Summary: | SELinux prevents openvpn server functioning on Red Hat Enterprise Linux / CentOS 5.5 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Răzvan Sandu <rsandu2004> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.5.z | CC: | dwalsh, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-06-22 13:53:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Răzvan Sandu
2011-01-18 11:25:36 UTC
It looks like the "server.conf" is mislabeled. Where is this config file located? I believe you will need to execute # restorecon -R -v /etc/openvpn to fix this issue. Hello and thanks, I already did that, but it doesn't seem to solve the problem. With "setenforce 1", openvpn service still fails when doing "service openvpn restart". It does not when I have "setenforce 0"... Best regards, Răzvan Where is server.conf located? ls -lZ PATHTO/server.conf Sorry for missing your question. It's /etc/openvpn/server.conf , as installed default by the rpm package. [root@mexcentral1 ~]# ls -lZ /etc/openvpn/server.conf -rw-r--r-- root root system_u:object_r:openvpn_etc_t /etc/openvpn/server.conf Răzvan Ok then show us the latest avc messages. ausearch -m avc -ts recent That's strange, I don't have any: [root@mexcentral1 ~]# ausearch -m avc -ts recent <no matches> Try to start/restart openvpn service and then run # ausearch -m avc -ts recent If you don't see any AVC messages, execute # semodule -DB # service openvpn restart # ausearch -m avc -ts recent Thanks - using the second method, I've got: [root@mexcentral1 ~]# semodule -DB [root@mexcentral1 ~]# service openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: [EŞUAT] [root@mexcentral1 ~]# ausearch -m avc -ts recent ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.116:175): arch=c000003e syscall=59 success=yes exit=0 a0=2ab1c88ca7a0 a1=2ab1c88f39a0 a2=0 a3=0 items=0 ppid=17869 pid=17874 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null) type=AVC msg=audit(1295372844.116:175): avc: denied { noatsecure } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process type=AVC msg=audit(1295372844.116:175): avc: denied { rlimitinh } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process type=AVC msg=audit(1295372844.116:175): avc: denied { siginh } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.142:176): arch=c000003e syscall=21 success=no exit=-13 a0=868eb70 a1=2 a2=0 a3=42600ac8 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.142:176): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.143:177): arch=c000003e syscall=21 success=no exit=-13 a0=8a73380 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.143:177): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.178:178): arch=c000003e syscall=21 success=no exit=-13 a0=86a7470 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.178:178): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.192:179): arch=c000003e syscall=21 success=no exit=-13 a0=8b56420 a1=2 a2=0 a3=42600608 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.192:179): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.193:180): arch=c000003e syscall=21 success=no exit=-13 a0=87950b0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.193:180): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.195:181): arch=c000003e syscall=21 success=no exit=-13 a0=88548e0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.195:181): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.190:183): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9dc845d0 a1=0 a2=0 a3=2b21b67860a3 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.190:183): avc: denied { search } for pid=17900 comm="openvpn" name="/" dev=selinuxfs ino=400 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.325:184): arch=c000003e syscall=2 success=no exit=-13 a0=4d023a8 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.325:184): avc: denied { search } for pid=17900 comm="openvpn" name="root" dev=sda2 ino=1113025 scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.190:182): arch=c000003e syscall=2 success=no exit=-13 a0=30b2012a04 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.190:182): avc: denied { search } for pid=17900 comm="openvpn" name="selinux" dev=sda2 ino=9886777 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir Are you storing cert files in a homedir or in /root that openvpn is trying to read? Probably this is not correct, but the keys (as referred in /etc/openvpn/server.conf) are stored in /root/easy-rsa/keys/, namely: ca /root/easy-rsa/keys/ca.crt cert /root/easy-rsa/keys/mexcentral1.crt key /root/easy-rsa/keys/mexcentral1.key dh /root/easy-rsa/keys/dh1024.pem as lines un server.conf. Another copy of the keys (probably redundant) seems to be present in /etc/openvpn/keys. The step-by-step procedure used for configuring the server is this: http://fedoraproject.org/wiki/Openvpn Regards, Răzvan Can you change server.conf to read them from /etc/openvpn/keys? Nothing in that document mentions /root, does it? Thanks, Nothing in that document mentions neither another (fixed, standardised) place where to put the openvpn folder, nor a distro-created, predefined system user that openvpn should run as. :) The net effect is that SELinux forbids the actions of the openvpn daemon, preventing connections. IMHO, this is at least a bug in the documentation. Or even in the openvpn RPM package itself, that should pre-create the directory in the correct place, with the proper SELinux permissions. Regards, Răzvan You are reporting what you believe is a bug potentially in OpenVPN on rhel5, which is a package that does not ship in RHEL5 and it looks like you used the Fedora Package. Either open this as a bug in Fedora or on OpenVPN. |