Bug 2221507 - SELinux is preventing openconnect from read, write access on the chr_file vhost-net.
Summary: SELinux is preventing openconnect from read, write access on the chr_file vho...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5030f5cd0cffef5b19098f080bb...
: 2222580 2223968 2227315 2228342 2229870 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-09 15:34 UTC by Enrique Meléndez
Modified: 2023-08-12 04:22 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-38.24-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-12 04:22:43 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: os_info (667 bytes, text/plain)
2023-07-09 15:34 UTC, Enrique Meléndez 		no flags Details
File: description (1.90 KB, text/plain)
2023-07-09 15:34 UTC, Enrique Meléndez 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1808 0 None open Allow vpnc read/write inherited vhost net device 2023-08-01 15:30:33 UTC

Description Enrique Meléndez 2023-07-09 15:34:55 UTC 
Description of problem:
Conecting to a VPN with opeconnect. Apparently at the moment of establishing the connection.
SELinux is preventing openconnect from read, write access on the chr_file vhost-net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openconnect should be allowed read write access on the vhost-net chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openconnect' --raw | audit2allow -M my-openconnect
# semodule -X 300 -i my-openconnect.pp

Additional Information:
Source Context                system_u:system_r:vpnc_t:s0
Target Context                system_u:object_r:vhost_device_t:s0
Target Objects                vhost-net [ chr_file ]
Source                        openconnect
Source Path                   openconnect
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.20-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.20-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.11-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Jul 2 13:17:31 UTC 2023 x86_64
Alert Count                   1
First Seen                    2023-07-09 16:46:17 CEST
Last Seen                     2023-07-09 16:46:17 CEST
Local ID                      311abdca-bdb3-4e5d-92d6-570c8be5cc42

Raw Audit Messages
type=AVC msg=audit(1688913977.326:312): avc:  denied  { read write } for  pid=11514 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=580 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0


Hash: openconnect,vpnc_t,vhost_device_t,chr_file,read,write

Version-Release number of selected component:
selinux-policy-targeted-38.20-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing openconnect from read, write access on the chr_file vhost-net.
kernel:         6.3.11-200.fc38.x86_64
type:           libreport
hashmarkername: setroubleshoot
package:        selinux-policy-targeted-38.20-1.fc38.noarch
comment:        Conecting to a VPN with opeconnect. Apparently at the moment of establishing the connection.
component:      selinux-policy
component:      selinux-policy
Comment 1 Enrique Meléndez 2023-07-09 15:34:57 UTC 
Created attachment 1974853 [details]
File: os_info
Comment 2 Enrique Meléndez 2023-07-09 15:34:59 UTC 
Created attachment 1974854 [details]
File: description
Comment 3 Zdenek Pytela 2023-07-11 13:19:55 UTC 
Enrique,

Can you elaborate a bit on the scenario - why would openconnect need access to /dev/vhost-net?
Comment 4 Enrique Meléndez 2023-07-11 14:56:17 UTC 
(In reply to Zdenek Pytela from comment #3)
> Enrique,
> 
> Can you elaborate a bit on the scenario - why would openconnect need access
> to /dev/vhost-net?

I have no idea why openconnect tries to access vhost. This has appeared after upgrading to openconnect-9.12-1.fc38; earlier versions did not show any security alert. Connection is to a Juniper Network VPN, and works fine.
Comment 5 Zdenek Pytela 2023-07-13 07:55:30 UTC 
*** Bug 2222580 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2023-07-13 08:05:36 UTC 
David,

Can you help us with understanding the problem which was reported independently by 2 users?
Comment 7 Jan Vlug 2023-07-13 13:45:38 UTC 
For info: This (actually bug 2222580) happened to me when authenticating for a VPN that uses Microsoft services to call my phone for a 2FA.
Comment 8 Jonathan Haas 2023-07-19 12:30:01 UTC 
*** Bug 2223968 has been marked as a duplicate of this bug. ***
Comment 9 swobser+fedora 2023-07-24 11:26:20 UTC 
I can also confirm this issue. It does not seem to have an impact on functionality though. The VPN works fine.
Comment 10 David Woodhouse 2023-07-26 00:43:41 UTC 
OpenConnect uses vhost-net for acceleration, because it's basically just io_uring for the tun device; has nothing fundamentally to do with *virtualization*.

https://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/c6ef119693
Comment 11 Zdenek Pytela 2023-07-31 08:01:37 UTC 
*** Bug 2227315 has been marked as a duplicate of this bug. ***
Comment 12 Zdenek Pytela 2023-08-02 09:04:50 UTC 
*** Bug 2228342 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2023-08-07 07:04:23 UTC 
FEDORA-2023-a79a6bdd37 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37
Comment 14 Fedora Update System 2023-08-08 01:56:33 UTC 
FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a79a6bdd37`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 15 Zdenek Pytela 2023-08-09 07:56:07 UTC 
*** Bug 2229870 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2023-08-12 04:22:43 UTC 
FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.