Bug 820339

Summary: selinux policy does not allow openvpn to access brctl for bridge operations
Product: [Fedora] Fedora Reporter: Erik M Jacobs <ejacobs>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dominick.grift, dwalsh, ejacobs, gwync, huzaifas, i, lvrabec, mbaudier, mgrepl, steve
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-06 17:29:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erik M Jacobs 2012-05-09 17:07:36 UTC 
Description of problem:
When setting up bridged vpns with openvpn, you need to perform bridge operations (brctl) in order to set up the tap bridge after openvpn starts. The default selinux policy does not permit this activity.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
openvpn-2.2.1-1.el6.x86_64
selinux-policy-3.7.19-126.el6_2.10.noarch

How reproducible:
100%

Steps to Reproduce:
1. Set up openvpn tp use tap/bridge, and create a bridge script that calls brctl
2. start openvpn
  
Actual results:
Failure message is output regarding permission denied to access /usr/sbin/brctl

Expected results:
Access is allowed.

Additional info:
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17
----
time->Wed May  9 13:02:31 2012
type=SYSCALL msg=audit(1336582951.707:82800): arch=c000003e syscall=59 success=yes exit=0 a0=183f330 a1=183d7f0 a2=183d4a0 a3=28 items=0 ppid=1920 pid=1921 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8964 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute_no_trans } for  pid=1921 comm="bridge-start" path="/usr/sbin/brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { read open } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17 | audit2allow


#============= openvpn_t ==============
allow openvpn_t brctl_exec_t:file { read execute open execute_no_trans };

Perhaps there should be a boolean?
Comment 1 Christopher Meng 2013-09-08 06:51:14 UTC 
Status?
Comment 2 Erik M Jacobs 2013-09-09 23:56:23 UTC 
No idea. It's over a year old and I've moved on to other projects.  I don't even really remember why I was testing this at the time. Sorry!
Comment 3 Daniel Walsh 2013-11-12 15:38:50 UTC 
cc19809a17eda7a9750dbcbf1ff8458479b6b04d fixes this in git.

Should be available in the next rawhide release.

SHould be back ported to RHEL6 and RHEL7 as well as fedora 19-21
Comment 4 Christopher Meng 2013-11-12 15:40:31 UTC 
Thanks.

I met this problem long time ago, but until few minutes ago I realized that this bug has been assigned to wrong people.