Description of problem: I am using the app /usr/sbin/resolvconf (from the package openresolve: https://roy.marples.name/projects/openresolv) to prevent DNS-leaking with OpenVPN on Linux Fedora29. However SElinux deny read/write on some directories and DNS-leaking occures. Here is openvpn log: [ahmed@localhost ~]$ systemctl status openvpn-client@sky -l ● openvpn-client - OpenVPN tunnel for sky Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-01-18 22:10:38 EET; 33min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 4670 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 4404) Memory: 3.8M CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client └─4670 /usr/sbin/openvpn --suppress-timestamps --nobind --config sky.conf янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip addr add dev tun0 192.168.17.4/24 broadcast 192.168.17.255 янв 18 22:10:41 localhost.localdomain openvpn[4670]: /etc/openvpn/update-resolv-conf.sh tun0 1500 1554 192.168.17.4 255.255.255.0 init янв 18 22:10:41 localhost.localdomain openvpn[4670]: dhcp-option DNS 208.67.220.222 янв 18 22:10:41 localhost.localdomain openvpn[4670]: dhcp-option DNS 208.67.222.220 янв 18 22:10:41 localhost.localdomain openvpn[4670]: Cannot write to /run/resolvconf/lock янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 127.0.0.1/32 via 192.168.1.1 янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 0.0.0.0/1 via 192.168.17.1 янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 128.0.0.0/1 via 192.168.17.1 янв 18 22:10:41 localhost.localdomain openvpn[4670]: /sbin/ip route add 185.159.131.116/32 via 192.168.1.1 янв 18 22:10:41 localhost.localdomain openvpn[4670]: Initialization Sequence Completed And here is script update-resolv-conf.sh working with openresolve: ## RESOLVCONF=/usr/sbin/resolvconf export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin RESOLVCONF=$(type -p resolvconf) case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" fi fi done R="" if [ "$IF_DNS_SEARCH" ]; then R="search " for DS in $IF_DNS_SEARCH ; do R="${R} $DS" done R="${R} " fi for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done #echo -n "$R" | $RESOLVCONF -x -p -a "${dev}" echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet" ;; down) $RESOLVCONF -d "${dev}.inet" ;; esac # Workaround / jm # force exit with no errors. Due to an apparent conflict with the Network Manager # $RESOLVCONF sometimes exits with error code 6 even though it has performed the # action correctly and OpenVPN shuts down. exit 0 SELinux is preventing resolvconf from 'write' accesses on the каталог resolvconf. ***** Plugin catchall (100. confidence) suggests ************************** Если вы считаете, что resolvconf должно быть разрешено write доступ к resolvconf directory по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do разрешить этот доступ сейчас, выполнив: # ausearch -c 'resolvconf'--raw | audit2allow -M my-resolvconf # semodule -X 300 -i my-resolvconf.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context system_u:object_r:vpnc_var_run_t:s0 Target Objects resolvconf [ dir ] Source resolvconf Source Path resolvconf Port <Неизвестно> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-47.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.15-300.fc29.x86_64 #1 SMP Mon Jan 14 16:32:35 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-01-18 22:10:41 EET Last Seen 2019-01-18 22:10:41 EET Local ID 66ef3809-cb33-4ab3-ba0d-b4300802870f Raw Audit Messages type=AVC msg=audit(1547842241.228:311): avc: denied { write } for pid=4732 comm="resolvconf" name="resolvconf" dev="tmpfs" ino=37655 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:vpnc_var_run_t:s0 tclass=dir permissive=0 Hash: resolvconf,openvpn_t,vpnc_var_run_t,dir,write Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.15-300.fc29.x86_64 type: libreport
*** Bug 1667284 has been marked as a duplicate of this bug. ***
Description of problem: Openresolve error Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.15-300.fc29.x86_64 type: libreport
commit 00357ee6b30abe3af9c97164467837ea4d246042 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Jan 22 18:23:18 2019 +0100 Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
selinux-policy-3.14.2-49.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7c13db036c
selinux-policy-3.14.2-49.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7c13db036c
selinux-policy-3.14.2-49.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.