Bug 979432
Summary: | SELinux forbids iptables(1) calls from OpenVPN client-(dis)connect scripts | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.4 | CC: | dwalsh, ebenes, mmalik, mtruneck, redhat-bugzilla, robert.scheck, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-210.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 982958 (view as bug list) | Environment: | |||||
Last Closed: | 2013-11-21 10:32:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 982958 | ||||||
Attachments: |
|
Description
Robert Scheck
2013-06-28 13:53:39 UTC
Cross-filed case #00897778 on the Red Hat customer portal. Since these scripts could do anything, I think we need to make them unconfined, not just allow them to execute or runas iptables. What does # rpm -qf /etc/openvpn/client-connect.sh (In reply to Daniel Walsh from comment #3) > Since these scripts could do anything, I think we need to make them > unconfined, not just allow them to execute or runas iptables. Interesting thought, but I do not see how this will be solved as the script can be named as the administrator wishes. There is no fixed name for these scripts, it also could be /usr/local/bin/openvpn-something.sh... # (In reply to Miroslav Grepl from comment #4) > What does > > # rpm -qf /etc/openvpn/client-connect.sh # rpm -qf /etc/openvpn/client-connect.sh file /etc/openvpn/client-connect.sh is not owned by any package # As said above, this will not help us. Alternatively we introduce a label and expect some standard paths and the rest has to be labeled by admins, too? But "man openvpn" also says that some could directly call iptables, if I am not too mistaken by this? --- snipp --- [...] --client-connect cmd Run command cmd on client connection. cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces. The command is passed the common name and IP address of the just-authenticated client as environmental variables (see environmental variable section below). The command is also passed the pathname of a freshly created temporary file as the last argument (after any arguments specified in cmd), to be used by the command to pass dynamically generated config file directives back to OpenVPN. If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by the last argument. See the --client-config-dir option below for options which can be legally used in a dynamically generated config file. Note that the return value of script is significant. If script returns a non- zero error status, it will cause the client to be disconnected. [...] --- snapp --- In order to get OpenVPN really working at the moment, this has to be added e.g. via audit2allow, too: type=AVC msg=audit(1373141198.664:715753): avc: denied { net_raw } for pid=29284 comm="iptables" capability=13 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=capability type=SYSCALL msg=audit(1373141198.664:715753): arch=x86_64 syscall=socket success=no exit=EPERM a0=2 a1=3 a2=ff a3=4 items=0 ppid=29282 pid=29284 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29397 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1373141198.664:715754): avc: denied { execute } for pid=29285 comm="iptables" name="modprobe" dev=sda2 ino=7340090 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1373141198.664:715754): arch=x86_64 syscall=execve success=no exit=EACCES a0=22f8390 a1=7ffface0c7e0 a2=7ffface0cba8 a3=400 items=0 ppid=29284 pid=29285 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29397 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1373141316.539:715814): avc: denied { getopt } for pid=30083 comm="iptables" lport=255 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1373141316.539:715814): arch=x86_64 syscall=getsockopt success=no exit=EACCES a0=3 a1=0 a2=40 a3=7fff4b9c59c0 items=0 ppid=30079 pid=30083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29397 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1373141316.539:715815): avc: denied { read open } for pid=30084 comm="iptables" name="modprobe" dev=sda2 ino=7340090 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1373141316.539:715815): arch=x86_64 syscall=execve success=no exit=EACCES a0=1f75390 a1=7fff4b9c5a00 a2=7fff4b9c5dc8 a3=400 items=0 ppid=30083 pid=30084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29397 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1373141469.824:715893): avc: denied { setopt } for pid=31021 comm="iptables" lport=255 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1373141469.824:715893): arch=x86_64 syscall=setsockopt success=no exit=EACCES a0=3 a1=0 a2=40 a3=7f1dab3ad010 items=0 ppid=31019 pid=31021 auid=1005 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=38692 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:openvpn_t:s0 key=(null) How are we going to proceed? iptables_domtrans(openvpn_t) Is probably better. We could ask openvpn to add an /etc/openvpn/scripts directory and change docs to talk about this directory. 194afdde0f7776e00b41989106e016217f66e88f adds this functionality to git. Created attachment 771246 [details]
uncofined scripts support to openvpn
I back ported SELinux fixes from Fedora. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |