Bug 1164182 - SELinux prevents openvpn from accessing management socket
Summary: SELinux prevents openvpn from accessing management socket
Keywords:
Status: CLOSED DUPLICATE of bug 1165110
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1164186 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-14 09:33 UTC by Andreas Fleig
Modified: 2014-11-19 13:51 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-19 13:51:01 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Andreas Fleig 2014-11-14 09:33:01 UTC 
Description of problem:

NetworkManager-openvpn uses a management socket to send credentials to
openvpn child processes. In the latest package version, this socket is now a
Unix socket below /run/NetworkManager. SELinux prevents openvpn from accessing
this socket.


Version-Release number of selected component (if applicable):

NetworkManager-openvpn.3.20141110gitda5fb9b.fc21 (updates-testing)
selinux-policy.3.13.1


How reproducible:
always


Steps to Reproduce:
1. Create an OpenVPN connection through NetworkManager
2. Try to connect


Actual results:
SELinux prevents openvpn from accessing /var/run/NetworkManager, and therefore
openvpn never gets the credentials for the connection.


Expected results:
SELinux should allow openvpn to access the management socket (although not necessarily below /run/NetworkManager)


Additional info:

NetworkManager-openvpn, previously:
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=738fa8edb684e0968f1d52327e978066bca82484#n1123

NetworkManager-openvpn, now:
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=da5fb9#n1187


SETroubleshoot Details:

SELinux is preventing openvpn from search access on the directory NetworkManager.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed search access on the NetworkManager directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                NetworkManager [ dir ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          lski-029
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-92.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lski-029
Platform                      Linux lski-029 3.17.2-300.fc21.x86_64 #1 SMP Thu
                              Oct 30 19:23:48 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-11-14 09:36:18 CET
Last Seen                     2014-11-14 09:37:49 CET
Local ID                      f8abf0db-94b8-4aa5-b847-71d616e60e50

Raw Audit Messages
type=AVC msg=audit(1415954269.733:4013): avc:  denied  { search } for  pid=7508 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=19883 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0


Hash: openvpn,openvpn_t,NetworkManager_var_run_t,dir,search
Comment 1 Lukas Vrabec 2014-11-14 11:50:48 UTC 
*** Bug 1164186 has been marked as a duplicate of this bug. ***
Comment 2 Lukas Vrabec 2014-11-14 11:56:11 UTC 
commit 1e7882e582e0d769e87263dd0f1dcb0feaa663b3
Author: Lukas Vrabec <lvrabec>
Date:   Fri Nov 14 12:54:40 2014 +0100

    Allow openvpn to stream connect to networkmanager. BZ(1164182)
Comment 3 Sumit Bose 2014-11-14 17:02:27 UTC 
I now get 

type=AVC msg=audit(1415984220.840:449): avc:  denied  { write } for  pid=2327 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=21852 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0

with selinux-policy-3.13.1-96.fc21.
Comment 4 Suren Karapetyan 2014-11-17 08:30:37 UTC 
Description of problem:
1. Create an openvpn connection with a pre-shared key from user's home directory (might be or not be important)
2. Activate the connection

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport
Comment 5 Dawid Zamirski 2014-11-17 12:38:25 UTC 
Description of problem:
Tried to connect to openvpn network.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport
Comment 6 L.L.Robinson 2014-11-18 21:15:44 UTC 
Description of problem:
Starting an existing VPN 

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport
Comment 7 Paolo Bonzini 2014-11-19 09:14:11 UTC 
Description of problem:
See also bug 1165572.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport
Comment 8 Sumit Bose 2014-11-19 09:26:49 UTC 
I get the following with selinux-policy-3.13.1-96.fc21.noarch in permissive mode:

# ausearch -ts recent -m AVC
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1041): avc:  denied  { write } for  pid=26587 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=22979 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1042): avc:  denied  { remove_name } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1043): avc:  denied  { unlink } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1044): avc:  denied  { add_name } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1045): avc:  denied  { create } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1



or in short

# ausearch -ts recent -m AVC | audit2allow


#============= openvpn_t ==============
allow openvpn_t NetworkManager_var_run_t:dir { write remove_name add_name };
allow openvpn_t NetworkManager_var_run_t:sock_file { create unlink };


HTH

bye,
Sumit
Comment 9 Lukas Vrabec 2014-11-19 13:51:01 UTC 

*** This bug has been marked as a duplicate of bug 1165110 ***
Note You need to log in before you can comment on or make changes to this bug.