Bug 789342

Summary: RFE: Default SELinux policy does not support multiple OpenVPN instances
Product: Red Hat Enterprise Linux 6 Reporter: E.Patton <redhatbugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 985435 (view as bug list) Environment:
Last Closed: 2013-08-06 20:40:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 985435    

Description E.Patton 2012-02-10 14:23:19 UTC 
Description of problem:

Default SELinux policy does not work well when running multiple instances of OpenVPN on a single system.

When multiple instances of OpenVPN supporting different trust domains are running on a single system, it is necessary for the ipp.txt file to be renamed so that there is a different ipp.txt file for each instance of OpenVPN.

The ipp.txt file is used by OpenVPN to store IP addresses allocated to VPN clients (using the ifconfig-pool-persist directive). The ipp.txt file must be named distinctly for each running OpenVPN instance otherwise the various running instances of OpenVPN overwrite updates to ipp.txt made by other OpenVPN instances.

ipp.txt is the default given in most OpenVPN example configurations but there is no requirement for the file to be named so and the OpenVPN package clearly allows other names to be used (presumably because of the aforementioned overwriting issue).

OpenVPN is installed from EPEL.

The ipp.txt file is stored in /etc/openvpn/ and is labelled openvpn_etc_rw_t. Files in /etc/openvpn that are not used for ifconfig-pool-persist purposes are of type openvpn_etc_t. 

The default policy for OpenVPN is, however, hardwired to allow only /etc/openvpn/ipp.txt:

"/etc/selinux/targeted/modules/active/file_contexts:/etc/openvpn/ipp.txt --      system_u:object_r:openvpn_etc_rw_t:s0"

Hardwiring the policy to a single file name is inconsistent with the approach adopted  for related aspects of policy which, for example, allow arbitrary (within reason!) filenames for the configuration files for each trust domain.




Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.2 (Santiago)
openvpn-2.2.1-1.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:

Every time.

Steps to Reproduce:
1. Install and configure OpenVPN with a ifconfig-pool-persist configuration that uses a storage location other than ipp.txt, e.g.

ifconfig-pool-persist /etc/openvpn/trustdomain_one_ipp.txt

2.
3.
  
Actual results:

OpenVPN fails when a client first connects as the default SELinux type for the file (say) /etc/openvpn/trustdomain_one_ipp.txt is openvpn_etc_t rather than openvpn_etc_rw_t.

# aureport -a |grep openvpn
1. 03/02/12 16:23:29 openvpn unconfined_u:system_r:openvpn_t:s0 2 file write system_u:object_r:openvpn_etc_t:s0 denied 56517

/var/log/messages


Feb  3 16:23:33 xxxxxx setroubleshoot: SELinux is preventing /usr/sbin/openvpn from write access on the file /etc/openvpn xxxxxxxxxx_ipp.txt. For complete SELinux messages. run sealert -l 7067460d-6917-4190-8ed8-e857b91ef442


Expected results:

OpenVPN enjoys unimpeded access to multiple ifconfig-pool-persist files with names other than ipp.txt

Additional info:

The immediate fix for us was to manually set the file's label (slightly tiresome with 10 running instances but not insurmountable):

semanage fcontext -a -t openvpn_etc_rw_t /etc/openvpn/trustdomain_one_ipp.txt 

I can see that there might be an overlapping wildcard problem with respect to the default labelling of files in /etc/openvpn and suggest that consideration be given to changing the policy for ipp.txt to be *ipp.txt. However, I note that there is no defined convention (that I am aware) for naming such files.

Alternatively, https://bugzilla.redhat.com/show_bug.cgi?id=746173 looks like it might address the use of OpenVPN-style VPNs on RHEL. It might be easier to document the above semanage statement rather than change the default policy.
Comment 2 Daniel Walsh 2012-02-10 15:16:51 UTC 
Can we get this file moved to a directory that is supposed to be writable like /var/lib/openvpn  or if not that /etc/openvpn/ipp/.  I am not crazy about confined domains writing to /etc.  

Then the handling of this type of issue becomes a lot easier.  I have no problem fixing the label to be broader, although we have not seen this in Fedora.  But 
moving it to a directory would allow us to set the label on the directory and then an admin creating a new file would get the correct label without having to think about SELinux.
Comment 3 RHEL Program Management 2012-05-03 05:20:18 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4 Miroslav Grepl 2013-08-06 20:34:49 UTC 
We added SELinux support for /var/lib/openvpn.
Comment 5 Miroslav Grepl 2013-08-06 20:40:06 UTC 

*** This bug has been marked as a duplicate of bug 922732 ***