Starting openvpn from Extras during boot results in this message: Mar 30 00:05:19 viper kernel: audit(1143666312.661:3): avc: denied { read write } for pid=1905 comm="ip" name="[5927]" dev=sockfs ino=5927 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket This is a simple host-to-host openvpn configuration using tun. Maybe it doesn't have anything to do with openvpn per se, but rather with something upping the tun0 interface? Note: I'm running in permissive mode so can't tell whether or what this would actually break.
Ville, sorry about not getting back to you sooner, but somehow this got lost in the Bugzilla world. I am adding openvpn policy to Rawhide. If everything looks alright, I will update this to FC5 in about a week. If you could try the rawhide policy that would be great.
Sure, ping me in this bug and I'll give it a go, assuming it can be safely tested on a FC5 box; I don't have a Rawhide one available at the moment.
openvpn has been in there for a while now.
Here's the batch of AVCs I get when starting openvpn-2.1-0.10.beta14.fc5 with selinux-policy-targeted-2.2.43-4.fc5 (OpenVPN fails to start): type=AVC msg=audit(1150559282.303:120): avc: denied { read write } for pid=5723 comm="openvpn" name="2" dev=devpts ino=4 scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1150559282.303:120): avc: denied { read write } for pid=5723 comm="openvpn" name="2" dev=devpts ino=4 scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1150559282.303:120): avc: denied { read write } for pid=5723 comm="openvpn" name="2" dev=devpts ino=4 scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1150559282.303:120): avc: denied { read write } for pid=5723 comm="openvpn" name="2" dev=devpts ino=4 scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1150559282.303:120): arch=40000003 syscall=11 success=yes exit=0 a0=824e0e8 a1=823abf8 a2=824e648 a3=824e480 items=2 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=AVC_PATH msg=audit(1150559282.303:120): path="/dev/pts/2" type=AVC_PATH msg=audit(1150559282.303:120): path="/dev/pts/2" type=AVC_PATH msg=audit(1150559282.303:120): path="/dev/pts/2" type=CWD msg=audit(1150559282.303:120): cwd="/etc/openvpn" type=PATH msg=audit(1150559282.303:120): item=0 name="/usr/sbin/openvpn" flags=101 inode=2311053 dev=09:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1150559282.303:120): item=1 flags=101 inode=1540237 dev=09:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1150559282.307:121): avc: denied { search } for pid=5723 comm="openvpn" scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1150559282.307:121): arch=40000003 syscall=149 success=no exit=-1 a0=bfb04300 a1=abcff4 a2=c33e00 a3=bfb042f8 items=0 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=AVC msg=audit(1150559282.307:122): avc: denied { search } for pid=5723 comm="openvpn" name="kernel" dev=proc ino=-268435418 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1150559282.307:122): arch=40000003 syscall=5 success=no exit=-13 a0=c30020 a1=0 a2=bfb04360 a3=b7ee68cc items=1 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=CWD msg=audit(1150559282.307:122): cwd="/etc/openvpn" type=PATH msg=audit(1150559282.307:122): item=0 name="/proc/sys/kernel/version" flags=101 type=AVC msg=audit(1150559282.315:123): avc: denied { write } for pid=5723 comm="openvpn" name="openvpn-status.log" dev=md1 ino=853557 scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:openvpn_etc_t:s0 tclass=file type=SYSCALL msg=audit(1150559282.315:123): arch=40000003 syscall=5 success=no exit=-13 a0=85cbfe4 a1=241 a2=180 a3=85cbf01 items=1 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=CWD msg=audit(1150559282.315:123): cwd="/etc/openvpn" type=PATH msg=audit(1150559282.315:123): item=0 name="openvpn-status.log" flags=310 inode=854004 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1150559282.315:124): avc: denied { write } for pid=5723 comm="openvpn" name="ipp.txt" dev=md1 ino=854194 scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:openvpn_etc_t:s0 tclass=file type=SYSCALL msg=audit(1150559282.315:124): arch=40000003 syscall=5 success=no exit=-13 a0=85cbedc a1=42 a2=180 a3=85cbe01 items=1 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=CWD msg=audit(1150559282.315:124): cwd="/etc/openvpn" type=PATH msg=audit(1150559282.315:124): item=0 name="ipp.txt" flags=310 inode=854004 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1150559282.467:125): avc: denied { name_bind } for pid=5723 comm="openvpn" src=9702 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1150559282.467:125): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfb031e0 a2=85cb558 a3=1 items=0 pid=5723 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn" type=SOCKADDR msg=audit(1150559282.467:125): saddr=020025E6000000000000000000000000 type=SOCKETCALL msg=audit(1150559282.467:125): nargs=3 a0=4 a1=bfb04274 a2=10
I hava a couple of questions. Why is openvpn trying to write a name="openvpn-status.log" log file to /etc/openvpn? It is also trying to write ipp.txt there? Is this some kind of configuration file? Finally openvpn is trying to listen on port 9702 for incoming udp packets. Does openvpn always listen on this port or does it grab these ports randomly?
(In reply to comment #7) > I hava a couple of questions. Why is openvpn trying to write a > name="openvpn-status.log" log file to /etc/openvpn? > > It is also trying to write ipp.txt there? Is this some kind of configuration file? Those must both be local configuration issues. > Finally openvpn is trying to listen on port 9702 for incoming udp packets. Does > openvpn always listen on this port or does it grab these ports randomly? The canonical openvpn port is 1194. Unfortunately, if someone is running multiple openvpn connections, the local port needs some flexibility. (By default it also uses 1194 for the local port, but it can also be specified with --lport. It can also be random with --float and --nobind.)
Created attachment 131145 [details] OpenVPN config My OpenVPN configuration.
(In reply to comment #7) > I hava a couple of questions. Why is openvpn trying to write a > name="openvpn-status.log" log file to /etc/openvpn? No idea. > > It is also trying to write ipp.txt there? Is this some kind of configuration file? Again, no idea. I've attached my config. > Finally openvpn is trying to listen on port 9702 for incoming udp packets. Does > openvpn always listen on this port or does it grab these ports randomly? I use a non-standard, randomly selected UDP port. Since UDP port scans are so slow, it's pretty stealthy.
(In reply to comment #7) > I hava a couple of questions. Why is openvpn trying to write a > name="openvpn-status.log" log file to /etc/openvpn? That is caused by this: status openvpn-status.log > It is also trying to write ipp.txt there? Is this some kind of configuration file? That is caused by this: ifconfig-pool-persist ipp.txt Putting both of those files in /var/run/openvpn/ would probably help.
(In reply to comment #10) > I use a non-standard, randomly selected UDP port. Since UDP port scans are > so slow, it's pretty stealthy. I could be wrong about this, but I thought OpenVPN would only answer if it received a valid connection request. If that's true, then there should be no loss of security by running it on a standard port. I could be wrong about that though, so I would suggest verifying that on the openvpn lists.
TO add port 9702 port you can execute the following semanage port -a -t openvpn_port_t -p udp 9702 Steven, is that a bug in openvpn, that those files are written to /etc/openvpn or is it something in the configuration? Dan
(In reply to comment #13) > Steven, is that a bug in openvpn, that those files are written to /etc/openvpn > or is it something in the configuration? That's completely a local configuration issue. The Extras openvpn package doesn't include any configuration files, just samples. (At most, I may need to review the samples a bit.) If giving an absolute path (instead of the default, a relative path under /etc/openvpn) works, then I would say this is NOTABUG.
(In reply to comment #14) > If giving an absolute path (instead of the default, a relative path under > /etc/openvpn) works, then I would say this is NOTABUG. If those entries are still in the sample configs, then I'd say it would at least be friendly to change them. :-) Those changes, plus changing the context of my chosen UDP port seems to have addressed any SELinux issues with my OpenVPN config. Unfortunately, it's now causing a kernel oops which makes me the system unusable! (And I simply don't have time to investigate this right now.)
Steven, why does it default to writing to /etc/openvpn instead of /var/run/openvpn? If the default changed to write to /var/run/openvpn SELinux would handle it with no problem. Seems strange for a daemon to be writing to its configuration directory.
(In reply to comment #16) > Steven, why does it default to writing to /etc/openvpn instead of > /var/run/openvpn? If the default changed to write to /var/run/openvpn SELinux > would handle it with no problem. All paths in the configuration file are relative to /etc/openvpn. I think that is fairly well documented. > Seems strange for a daemon to be writing to its configuration directory. As a rule, openvpn doesn't write anything. I think the real problem here is some bogus configuration file examples. I'll try to fix that in the next release. (I've opened bug #196564 as a reminder.)
*** Bug 199069 has been marked as a duplicate of this bug. ***
I'm going to have to reopen this bug, because openvpn and the selinux policy certainly don't seem to be playing together. See bug 199069 which was closed as a dupe although it has different avc denied messages than earlier in this bug, and in fact those are pretty much the same I receive. Will attach logs in a jiffy, in the meantime, here's my config: #local 192.168.2.5 remote 192.168.2.4 dev tun ifconfig 192.168.10.2 192.168.10.1 secret /etc/openvpn/home.key #cipher AES-256-CBC user openvpn group openvpn
Created attachment 132570 [details] Errors from /var/log/messages Here are the error messages I get using the config in the previous comment. The attached file has two parts. The first contains the messages I get on boot when selinux is enforcing and starting openvpn fails. The latter contains messages resulting from after bootup, doing setenforce 0 and restarting openvpn.
Created attachment 133882 [details] Openvpn client configuration
I am also running into problems with openvpn and selinux. Even on a basic configuration I get the message: audit(1155153040.167:8): avc: denied { nlmsg_write } for pid=5182 comm="ip" scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn_t:s0 tclass=netlink_route_socket All other messages in the thread above can be solved by moving the log files to /var/log and the keys to a subdir of /etc/openvpn. However this last avc message denied keeps openvpn from working using the latest targeted policy. Also test on fc6test2 -> Same behaviour. Note that in the fc5 original install from iso this configuration works !
Fixed in selinux-policy-2.3.6-3.fc5
selinux-policy-2.3.6-3 is working for me on fc5 as well as fc6test2. Thanks !
If I start openvpn using the initscript or service, it fails leaving back this log: Aug 18 01:23:19 satchmo openvpn[17682]: /sbin/ip link set dev tun0 up mtu 1500 Aug 18 01:23:19 satchmo openvpn[17682]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Aug 18 01:23:19 satchmo kernel: audit(1155856999.062:27): avc: denied { nlmsg_write } for pid=17686 comm="ip" scontext=root:system_r:openvpn_t:s0 tcontext=root:system_r:openvpn_t:s0 tclass=netlink_route_socket Aug 18 01:23:19 satchmo openvpn[17682]: Linux ip addr add failed: shell command exited with error status: 2 Aug 18 01:23:19 satchmo openvpn[17682]: Exiting [root@satchmo openvpn]# /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn If I start it drectly it works: [root@satchmo openvpn]# /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn And this is the log: Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip link set dev tun0 up mtu 1500 Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Aug 18 01:24:23 satchmo openvpn[17701]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Aug 18 01:24:23 satchmo openvpn[17707]: GID set to openvpn Aug 18 01:24:23 satchmo openvpn[17707]: UID set to openvpn Aug 18 01:24:23 satchmo openvpn[17707]: Socket Buffers: R=[124928->131072] S=[124928->131072] Aug 18 01:24:23 satchmo openvpn[17707]: UDPv4 link local (bound): [undef]:1194 Aug 18 01:24:23 satchmo openvpn[17707]: UDPv4 link remote: [undef] Aug 18 01:24:23 satchmo openvpn[17707]: MULTI: multi_init called, r=256 v=256 Aug 18 01:24:23 satchmo openvpn[17707]: IFCONFIG POOL: base=10.8.0.4 size=63 Aug 18 01:24:23 satchmo openvpn[17707]: Initialization Sequence Completed I've checked and rechecked permisions but I cannot find a reason for it.
If you start it directly it runs under unconfined_t which gives you no protection. if you run it with the init script it transitions to the locked down domain and it is locked down. The latest policy should fix your problem.
I run selinux-policy-2.3.3-8.fc5 and selinux-policy-targeted.noarch 2.3.3-8.fc5, supposedly the latest, but it still fails. I've even rebooted the machine to make sure. I copy again the logs: Aug 18 16:34:28 satchmo openvpn[2648]: OpenVPN 2.1_beta14 x86_64-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006 Aug 18 16:34:28 satchmo openvpn[2648]: Diffie-Hellman initialized with 1024 bit key Aug 18 16:34:28 satchmo openvpn[2648]: TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Aug 18 16:34:28 satchmo openvpn[2648]: TUN/TAP device tun0 opened Aug 18 16:34:28 satchmo openvpn[2648]: TUN/TAP TX queue length set to 100 Aug 18 16:34:28 satchmo openvpn[2648]: /sbin/ip link set dev tun0 up mtu 1500 Aug 18 16:34:28 satchmo openvpn[2648]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Aug 18 16:34:28 satchmo kernel: audit(1155911668.346:4): avc: denied { nlmsg_write } for pid=2654 comm="ip" scontext=root:system_r:openvpn_t:s0 tcontext=root:system_r:openvpn_t:s0 tclass=netlink_route_socket Aug 18 16:34:28 satchmo openvpn[2648]: Linux ip addr add failed: shell command exited with error status: 2 Aug 18 16:34:28 satchmo openvpn[2648]: Exiting Any idea of what could be? This is a just installed FC5 x86_64.
After rotating the logs, I get this from selinux audit: --------------------- Selinux Audit Begin ------------------------ *** Denials *** root root (netlink_route_socket): 16 times **Unmatched Entries** audit(1155911425.524:28): user pid=1942 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: 5 AV entries and 4/512 buckets used, longest chain length 2 audit(1155911579.368:2): enforcing=1 old_enforcing=0 auid=4294967295 audit(1155911579.588:3): policy loaded auid=4294967295 ---------------------- Selinux Audit End -------------------------
I've searchd for a newer selinux-policy in testing, but there wasn't any update there; then I tried development, but I'd pull unwanted -for me- dependencies, like glibc. Are there any plans to release an update on "testing", I volunteer to try it. For the record, these are the dependencies: ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy noarch 2.3.7-1 development 299 k Updating for dependencies: glibc i686 2.4.90-22 development 5.1 M glibc x86_64 2.4.90-22 development 4.6 M glibc-common x86_64 2.4.90-22 development 16 M glibc-devel x86_64 2.4.90-22 development 2.4 M glibc-headers x86_64 2.4.90-22 development 588 k glibc-utils x86_64 2.4.90-22 development 114 k libsemanage x86_64 1.6.15-1 development 137 k libsepol x86_64 1.12.24-1 development 145 k policycoreutils x86_64 1.30.26-1 development 414 k selinux-policy-mls noarch 2.3.7-1 development 816 k selinux-policy-strict noarch 2.3.7-1 development 1.3 M selinux-policy-targeted noarch 2.3.7-1 development 654 k
It should be there soon.
Installed and booted without selinux problems. I'll test it and update the bug if I find any problems, hopefully not. Thanks
Haven't seen these messages in a while, assuming fixed.