Bug 187305 - avc denied messages when starting openvpn
avc denied messages when starting openvpn
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
: 199069 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-29 16:07 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-26 06:22:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OpenVPN config (9.70 KB, text/plain)
2006-06-19 13:02 EDT, Ian Pilcher
no flags Details
Errors from /var/log/messages (5.10 KB, text/plain)
2006-07-17 15:11 EDT, Ville Skyttä
no flags Details
Openvpn client configuration (3.35 KB, text/plain)
2006-08-09 16:18 EDT, Maurice Pijpers
no flags Details

  None (edit)
Description Ville Skyttä 2006-03-29 16:07:36 EST
Starting openvpn from Extras during boot results in this message:

Mar 30 00:05:19 viper kernel: audit(1143666312.661:3): avc:  denied  { read
write } for  pid=1905 comm="ip" name="[5927]" dev=sockfs ino=5927
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=udp_socket

This is a simple host-to-host openvpn configuration using tun.  Maybe it doesn't
have anything to do with openvpn per se, but rather with something upping the
tun0 interface?

Note: I'm running in permissive mode so can't tell whether or what this would
actually break.
Comment 3 Daniel Walsh 2006-05-09 12:24:57 EDT
Ville, sorry about not getting back to you sooner, but somehow this got lost in
the Bugzilla world.  I am adding openvpn policy to Rawhide.  If everything looks
alright, I will update this to FC5 in about a week.  If you could try the
rawhide policy that would be great.
Comment 4 Ville Skyttä 2006-05-09 16:33:17 EDT
Sure, ping me in this bug and I'll give it a go, assuming it can be safely
tested on a FC5 box; I don't have a Rawhide one available at the moment.
Comment 5 Daniel Walsh 2006-06-15 16:33:14 EDT
openvpn has been in there for a while now.
Comment 6 Ian Pilcher 2006-06-17 11:42:48 EDT
Here's the batch of AVCs I get when starting openvpn-2.1-0.10.beta14.fc5 with
selinux-policy-targeted-2.2.43-4.fc5 (OpenVPN fails to start):

type=AVC msg=audit(1150559282.303:120): avc:  denied  { read write } for 
pid=5723 comm="openvpn" name="2" dev=devpts ino=4
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0
tclass=chr_file
type=AVC msg=audit(1150559282.303:120): avc:  denied  { read write } for 
pid=5723 comm="openvpn" name="2" dev=devpts ino=4
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0
tclass=chr_file
type=AVC msg=audit(1150559282.303:120): avc:  denied  { read write } for 
pid=5723 comm="openvpn" name="2" dev=devpts ino=4
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0
tclass=chr_file
type=AVC msg=audit(1150559282.303:120): avc:  denied  { read write } for 
pid=5723 comm="openvpn" name="2" dev=devpts ino=4
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:devpts_t:s0
tclass=chr_file
type=SYSCALL msg=audit(1150559282.303:120): arch=40000003 syscall=11 success=yes
exit=0 a0=824e0e8 a1=823abf8 a2=824e648 a3=824e480 items=2 pid=5723 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn"
exe="/usr/sbin/openvpn"
type=AVC_PATH msg=audit(1150559282.303:120):  path="/dev/pts/2"
type=AVC_PATH msg=audit(1150559282.303:120):  path="/dev/pts/2"
type=AVC_PATH msg=audit(1150559282.303:120):  path="/dev/pts/2"
type=CWD msg=audit(1150559282.303:120):  cwd="/etc/openvpn"
type=PATH msg=audit(1150559282.303:120): item=0 name="/usr/sbin/openvpn"
flags=101  inode=2311053 dev=09:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150559282.303:120): item=1 flags=101  inode=1540237
dev=09:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150559282.307:121): avc:  denied  { search } for  pid=5723
comm="openvpn" scontext=user_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1150559282.307:121): arch=40000003 syscall=149 success=no
exit=-1 a0=bfb04300 a1=abcff4 a2=c33e00 a3=bfb042f8 items=0 pid=5723 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn"
exe="/usr/sbin/openvpn"
type=AVC msg=audit(1150559282.307:122): avc:  denied  { search } for  pid=5723
comm="openvpn" name="kernel" dev=proc ino=-268435418
scontext=user_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1150559282.307:122): arch=40000003 syscall=5 success=no
exit=-13 a0=c30020 a1=0 a2=bfb04360 a3=b7ee68cc items=1 pid=5723 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn"
exe="/usr/sbin/openvpn"
type=CWD msg=audit(1150559282.307:122):  cwd="/etc/openvpn"
type=PATH msg=audit(1150559282.307:122): item=0 name="/proc/sys/kernel/version"
flags=101
type=AVC msg=audit(1150559282.315:123): avc:  denied  { write } for  pid=5723
comm="openvpn" name="openvpn-status.log" dev=md1 ino=853557
scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:openvpn_etc_t:s0
tclass=file
type=SYSCALL msg=audit(1150559282.315:123): arch=40000003 syscall=5 success=no
exit=-13 a0=85cbfe4 a1=241 a2=180 a3=85cbf01 items=1 pid=5723 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn"
exe="/usr/sbin/openvpn"
type=CWD msg=audit(1150559282.315:123):  cwd="/etc/openvpn"
type=PATH msg=audit(1150559282.315:123): item=0 name="openvpn-status.log"
flags=310  inode=854004 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150559282.315:124): avc:  denied  { write } for  pid=5723
comm="openvpn" name="ipp.txt" dev=md1 ino=854194
scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:openvpn_etc_t:s0
tclass=file
type=SYSCALL msg=audit(1150559282.315:124): arch=40000003 syscall=5 success=no
exit=-13 a0=85cbedc a1=42 a2=180 a3=85cbe01 items=1 pid=5723 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn"
exe="/usr/sbin/openvpn"
type=CWD msg=audit(1150559282.315:124):  cwd="/etc/openvpn"
type=PATH msg=audit(1150559282.315:124): item=0 name="ipp.txt" flags=310 
inode=854004 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150559282.467:125): avc:  denied  { name_bind } for 
pid=5723 comm="openvpn" src=9702 scontext=user_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1150559282.467:125): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfb031e0 a2=85cb558 a3=1 items=0 pid=5723 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="openvpn" exe="/usr/sbin/openvpn"
type=SOCKADDR msg=audit(1150559282.467:125): saddr=020025E6000000000000000000000000
type=SOCKETCALL msg=audit(1150559282.467:125): nargs=3 a0=4 a1=bfb04274 a2=10
Comment 7 Daniel Walsh 2006-06-19 11:57:15 EDT
I hava a couple of questions.  Why is openvpn trying to write a
name="openvpn-status.log" log file to /etc/openvpn?

It is also trying to write ipp.txt there?  Is this some kind of configuration file?

Finally openvpn is trying to listen on port 9702 for incoming udp packets.  Does
openvpn always listen on this port or does it grab these ports randomly?

Comment 8 Steven Pritchard 2006-06-19 12:28:43 EDT
(In reply to comment #7)
> I hava a couple of questions.  Why is openvpn trying to write a
> name="openvpn-status.log" log file to /etc/openvpn?
> 
> It is also trying to write ipp.txt there?  Is this some kind of configuration
file?

Those must both be local configuration issues.

> Finally openvpn is trying to listen on port 9702 for incoming udp packets.  Does
> openvpn always listen on this port or does it grab these ports randomly?

The canonical openvpn port is 1194.  Unfortunately, if someone is running
multiple openvpn connections, the local port needs some flexibility.  (By
default it also uses 1194 for the local port, but it can also be specified with
--lport.  It can also be random with --float and --nobind.)
Comment 9 Ian Pilcher 2006-06-19 13:02:20 EDT
Created attachment 131145 [details]
OpenVPN config

My OpenVPN configuration.
Comment 10 Ian Pilcher 2006-06-19 13:04:13 EDT
(In reply to comment #7)
> I hava a couple of questions.  Why is openvpn trying to write a
> name="openvpn-status.log" log file to /etc/openvpn?

No idea.

> 
> It is also trying to write ipp.txt there?  Is this some kind of configuration
file?

Again, no idea.  I've attached my config.

> Finally openvpn is trying to listen on port 9702 for incoming udp packets.  Does
> openvpn always listen on this port or does it grab these ports randomly?

I use a non-standard, randomly selected UDP port.  Since UDP port scans are
so slow, it's pretty stealthy.
Comment 11 Steven Pritchard 2006-06-19 13:55:10 EDT
(In reply to comment #7)
> I hava a couple of questions.  Why is openvpn trying to write a
> name="openvpn-status.log" log file to /etc/openvpn?

That is caused by this:

  status openvpn-status.log

> It is also trying to write ipp.txt there?  Is this some kind of configuration
file?

That is caused by this:

  ifconfig-pool-persist ipp.txt

Putting both of those files in /var/run/openvpn/ would probably help.
Comment 12 Steven Pritchard 2006-06-19 13:57:32 EDT
(In reply to comment #10)
> I use a non-standard, randomly selected UDP port.  Since UDP port scans are
> so slow, it's pretty stealthy.

I could be wrong about this, but I thought OpenVPN would only answer if it
received a valid connection request.  If that's true, then there should be no
loss of security by running it on a standard port.

I could be wrong about that though, so I would suggest verifying that on the
openvpn lists.
Comment 13 Daniel Walsh 2006-06-19 14:14:18 EDT
TO add port 9702 port you can execute the following

semanage port -a -t openvpn_port_t -p udp 9702

Steven, is that a bug in openvpn, that those files are written to /etc/openvpn
or is it something in the configuration?

Dan
Comment 14 Steven Pritchard 2006-06-19 22:42:36 EDT
(In reply to comment #13)
> Steven, is that a bug in openvpn, that those files are written to /etc/openvpn
> or is it something in the configuration?

That's completely a local configuration issue.  The Extras openvpn package
doesn't include any configuration files, just samples.  (At most, I may need to
review the samples a bit.)

If giving an absolute path (instead of the default, a relative path under
/etc/openvpn) works, then I would say this is NOTABUG.
Comment 15 Ian Pilcher 2006-06-19 23:06:08 EDT
(In reply to comment #14)
> If giving an absolute path (instead of the default, a relative path under
> /etc/openvpn) works, then I would say this is NOTABUG.

If those entries are still in the sample configs, then I'd say it would at least
be friendly to change them.  :-)

Those changes, plus changing the context of my chosen UDP port seems to have
addressed any SELinux issues with my OpenVPN config.  Unfortunately, it's
now causing a kernel oops which makes me the system unusable!  (And I simply
don't have time to investigate this right now.)
Comment 16 Daniel Walsh 2006-06-21 20:53:23 EDT
Steven, why does it default to writing to /etc/openvpn instead of
/var/run/openvpn?  If the default changed to write to /var/run/openvpn SELinux
would handle it with no problem.

Seems strange for a daemon to be writing to its configuration directory.
Comment 17 Steven Pritchard 2006-06-24 17:15:33 EDT
(In reply to comment #16)
> Steven, why does it default to writing to /etc/openvpn instead of
> /var/run/openvpn?  If the default changed to write to /var/run/openvpn SELinux
> would handle it with no problem.

All paths in the configuration file are relative to /etc/openvpn.  I think that
is fairly well documented.

> Seems strange for a daemon to be writing to its configuration directory.

As a rule, openvpn doesn't write anything.  I think the real problem here is
some bogus configuration file examples.  I'll try to fix that in the next
release.  (I've opened bug #196564 as a reminder.)
Comment 18 Steven Pritchard 2006-07-17 14:42:15 EDT
*** Bug 199069 has been marked as a duplicate of this bug. ***
Comment 19 Ville Skyttä 2006-07-17 15:07:27 EDT
I'm going to have to reopen this bug, because openvpn and the selinux policy
certainly don't seem to be playing together.  See bug 199069 which was closed as
a dupe although it has different avc denied messages than earlier in this bug,
and in fact those are pretty much the same I receive.  Will attach logs in a
jiffy, in the meantime, here's my config:

#local 192.168.2.5
remote 192.168.2.4
dev tun
ifconfig 192.168.10.2 192.168.10.1
secret /etc/openvpn/home.key
#cipher AES-256-CBC
user openvpn
group openvpn
Comment 20 Ville Skyttä 2006-07-17 15:11:03 EDT
Created attachment 132570 [details]
Errors from /var/log/messages

Here are the error messages I get using the config in the previous comment.

The attached file has two parts.  The first contains the messages I get on boot
when selinux is enforcing and starting openvpn fails.  The latter contains
messages resulting from after bootup, doing setenforce 0 and restarting
openvpn.
Comment 21 Maurice Pijpers 2006-08-09 16:18:45 EDT
Created attachment 133882 [details]
Openvpn client configuration
Comment 22 Maurice Pijpers 2006-08-09 16:20:53 EDT
I am also running into problems with openvpn and selinux. Even on a basic
configuration I get the message:
audit(1155153040.167:8): avc:  denied  { nlmsg_write } for  pid=5182 comm="ip"
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn_t:s0
tclass=netlink_route_socket
All other messages in the thread above can be solved by moving the log files to
/var/log and the keys to a subdir of /etc/openvpn. However this last avc message
denied keeps openvpn from working using the latest targeted policy. Also test on
fc6test2 -> Same behaviour.
Note that in the fc5 original install from iso this configuration works ! 
Comment 23 Daniel Walsh 2006-08-11 15:26:25 EDT
Fixed in  selinux-policy-2.3.6-3.fc5
Comment 24 Maurice Pijpers 2006-08-11 16:17:30 EDT
selinux-policy-2.3.6-3 is working for me on fc5 as well as fc6test2. Thanks !
Comment 25 Pau Aliagas 2006-08-17 19:29:47 EDT
If I start                                                                     
                                 openvpn using the initscript or service, it
fails leaving back this log:
Aug 18 01:23:19 satchmo openvpn[17682]: /sbin/ip link set dev tun0 up mtu 1500
Aug 18 01:23:19 satchmo openvpn[17682]: /sbin/ip addr add dev tun0 local
10.8.0.1 peer 10.8.0.2
Aug 18 01:23:19 satchmo kernel: audit(1155856999.062:27): avc:  denied  {
nlmsg_write } for  pid=17686 comm="ip" scontext=root:system_r:openvpn_t:s0
tcontext=root:system_r:openvpn_t:s0 tclass=netlink_route_socket
Aug 18 01:23:19 satchmo openvpn[17682]: Linux ip addr add failed: shell command
exited with error status: 2
Aug 18 01:23:19 satchmo openvpn[17682]: Exiting
[root@satchmo openvpn]# /usr/sbin/openvpn --daemon --writepid
/var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn

If I start it drectly it works:
[root@satchmo openvpn]# /usr/sbin/openvpn --daemon --writepid
/var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn

And this is the log:
Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip link set dev tun0 up mtu 1500
Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip addr add dev tun0 local
10.8.0.1 peer 10.8.0.2
Aug 18 01:24:23 satchmo openvpn[17701]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Aug 18 01:24:23 satchmo openvpn[17701]: Data Channel MTU parms [ L:1541 D:1450
EF:41 EB:4 ET:0 EL:0 ]
Aug 18 01:24:23 satchmo openvpn[17707]: GID set to openvpn
Aug 18 01:24:23 satchmo openvpn[17707]: UID set to openvpn
Aug 18 01:24:23 satchmo openvpn[17707]: Socket Buffers: R=[124928->131072]
S=[124928->131072]
Aug 18 01:24:23 satchmo openvpn[17707]: UDPv4 link local (bound): [undef]:1194
Aug 18 01:24:23 satchmo openvpn[17707]: UDPv4 link remote: [undef]
Aug 18 01:24:23 satchmo openvpn[17707]: MULTI: multi_init called, r=256 v=256
Aug 18 01:24:23 satchmo openvpn[17707]: IFCONFIG POOL: base=10.8.0.4 size=63
Aug 18 01:24:23 satchmo openvpn[17707]: Initialization Sequence Completed

I've checked and rechecked permisions but I cannot find a reason for it.
Comment 26 Daniel Walsh 2006-08-18 08:33:48 EDT
If you start it directly it runs under unconfined_t which gives you no
protection. if you run it with the init script it transitions to the locked down
domain and it  is locked down.  The latest policy should fix your problem.
Comment 27 Pau Aliagas 2006-08-18 10:29:29 EDT
I run selinux-policy-2.3.3-8.fc5 and selinux-policy-targeted.noarch 2.3.3-8.fc5,
supposedly the latest, but it still fails. I've even rebooted the machine to
make sure. I copy again the logs:

Aug 18 16:34:28 satchmo openvpn[2648]: OpenVPN 2.1_beta14
x86_64-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006
Aug 18 16:34:28 satchmo openvpn[2648]: Diffie-Hellman initialized with 1024 bit key
Aug 18 16:34:28 satchmo openvpn[2648]: TLS-Auth MTU parms [ L:1541 D:138 EF:38
EB:0 ET:0 EL:0 ]
Aug 18 16:34:28 satchmo openvpn[2648]: TUN/TAP device tun0 opened
Aug 18 16:34:28 satchmo openvpn[2648]: TUN/TAP TX queue length set to 100
Aug 18 16:34:28 satchmo openvpn[2648]: /sbin/ip link set dev tun0 up mtu 1500
Aug 18 16:34:28 satchmo openvpn[2648]: /sbin/ip addr add dev tun0 local 10.8.0.1
peer 10.8.0.2
Aug 18 16:34:28 satchmo kernel: audit(1155911668.346:4): avc:  denied  {
nlmsg_write } for  pid=2654 comm="ip" scontext=root:system_r:openvpn_t:s0
tcontext=root:system_r:openvpn_t:s0 tclass=netlink_route_socket
Aug 18 16:34:28 satchmo openvpn[2648]: Linux ip addr add failed: shell command
exited with error status: 2
Aug 18 16:34:28 satchmo openvpn[2648]: Exiting

Any idea of what could be? This is a just installed FC5 x86_64.
Comment 28 Pau Aliagas 2006-08-21 02:05:39 EDT
After rotating the logs, I get this from selinux audit:

 --------------------- Selinux Audit Begin ------------------------

 *** Denials ***
    root root (netlink_route_socket): 16 times
  **Unmatched Entries**
  audit(1155911425.524:28): user pid=1942 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0
msg='avc:  5 AV entries and 4/512 buckets used, longest chain length 2
  audit(1155911579.368:2): enforcing=1 old_enforcing=0 auid=4294967295
  audit(1155911579.588:3): policy loaded auid=4294967295

 ---------------------- Selinux Audit End -------------------------
Comment 29 Pau Aliagas 2006-08-21 15:06:56 EDT
I've searchd for a newer selinux-policy in testing, but there wasn't any update
there; then I tried development, but I'd pull unwanted -for me- dependencies,
like glibc.

Are there any plans to release an update on "testing", I volunteer to try it.

For the record, these are the dependencies:
=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Updating:
 selinux-policy          noarch     2.3.7-1          development       299 k
Updating for dependencies:
 glibc                   i686       2.4.90-22        development       5.1 M
 glibc                   x86_64     2.4.90-22        development       4.6 M
 glibc-common            x86_64     2.4.90-22        development        16 M
 glibc-devel             x86_64     2.4.90-22        development       2.4 M
 glibc-headers           x86_64     2.4.90-22        development       588 k
 glibc-utils             x86_64     2.4.90-22        development       114 k
 libsemanage             x86_64     1.6.15-1         development       137 k
 libsepol                x86_64     1.12.24-1        development       145 k
 policycoreutils         x86_64     1.30.26-1        development       414 k
 selinux-policy-mls      noarch     2.3.7-1          development       816 k
 selinux-policy-strict   noarch     2.3.7-1          development       1.3 M
 selinux-policy-targeted  noarch     2.3.7-1          development       654 k
Comment 30 Daniel Walsh 2006-08-22 10:11:45 EDT
It should be there soon.
Comment 31 Pau Aliagas 2006-08-23 17:43:09 EDT
Installed and booted without selinux problems. I'll test it and update the bug
if I find any problems, hopefully not.
Thanks
Comment 32 Ville Skyttä 2006-12-26 06:22:10 EST
Haven't seen these messages in a while, assuming fixed.

Note You need to log in before you can comment on or make changes to this bug.