Description of problem: I use OpenVPN, and I have configured my client to update /etc/resolv.conf upon establishing an OpenVPN connection. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.2-44.fc29.noarch openvpn-2.4.6-3.fc29.x86_64 How reproducible: Every time Steps to Reproduce: 1. Copy /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.{up,down} to /etc/openvpn/client and set the scripts as executable. 2. Configure OpenVPN, including the following statements: up /etc/openvpn/client/client.up down /etc/openvpn/client/client.down These scripts use resolvconf to manipulate the DNS server used by the computers resolvers. 2. Start the OpenVPN client service Actual results: OpenVPN runs as: system_u:system_r:openvpn_t:s0 Logs: [...] Failed to set DNS configuration: Access denied If I run "setenforce 0", then the computer logs the following: Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc: denied { read } for pid=4570 comm="resolvconf" name="environ" dev="proc" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc: denied { open } for pid=4570 comm="resolvconf" path="/proc/1/environ" dev="proc" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 Dec 19 08:11:31 imp.flyn.org audit[4570]: AVC avc: denied { getattr } for pid=4570 comm="resolvconf" path="/proc/1/sched" dev="proc" ino=35 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
See also bug #1381413.
commit f3162415a28e558896b0ffeb702b8f46d12665ef (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Thu Jan 10 17:43:45 2019 +0100 Allow openvpn_t domain to read systemd state BZ(1661065)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.