Bug 243609 - openvpn won't run due to selinux targeted policy denials
openvpn won't run due to selinux targeted policy denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-10 14:38 EDT by william hanlon
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
openvpn policy module (294 bytes, application/octet-stream)
2007-06-10 14:38 EDT, william hanlon
no flags Details
selinux policy module to allow openvpn to start (218 bytes, application/octet-stream)
2007-06-12 20:50 EDT, william hanlon
no flags Details

  None (edit)
Description william hanlon 2007-06-10 14:38:46 EDT
Description of problem:
openvpn client will not start due to selinux denials. problem seems to be with
denials to write the pid to /var/run/openvpn.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-13.fc7
openvpn-2.1-0.19.rc4.fc7


How reproducible:
always happens while selinux targeted policy is enforcing.

Steps to Reproduce:
1. service openvpn start
  
Actual results:
openvpn client has problems writing to /var/run/openvpn due to selinux denial
and openvpn exits.

Expected results:
openvpn client should write its pid to /var/run/openvpn and connect to the
remote server.

Additional info:
restorecon -v /var/run/openvpn doesn't fix the problem. I used avcs and
audit2allow to finally get it to run. The generated policy module is attached.
Comment 1 william hanlon 2007-06-10 14:38:46 EDT
Created attachment 156670 [details]
openvpn policy module
Comment 2 Daniel Walsh 2007-06-11 10:52:25 EDT
Added the following to selinux-policy-targeted-2.6.4-14

allow openvpn_t openvpn_var_run_t:dir { write search add_name };

Why does openvpn need to read homedir?
Comment 3 william hanlon 2007-06-12 20:50:50 EDT
Created attachment 156836 [details]
selinux policy module to allow openvpn to start
Comment 4 william hanlon 2007-06-12 20:52:19 EDT
(In reply to comment #2)
> Added the following to selinux-policy-targeted-2.6.4-14
> 
> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
> 
> Why does openvpn need to read homedir?

I'm not sure. I removed that and reloaded the new module and openvpn seems to
start ok. I've attached the new module.
Comment 5 Richard Fearn 2007-07-16 13:56:23 EDT
Just looking into another OpenVPN/SELinux problem (which may just be because my
policy is out of date), and noticed this:

> Why does openvpn need to read homedir?

Is it because the OpenVPN configuration file references files (keys,
certificates, etc.) in a home directory?
Comment 6 william hanlon 2007-07-16 14:05:20 EDT
(In reply to comment #5)
> Just looking into another OpenVPN/SELinux problem (which may just be because my
> policy is out of date), and noticed this:
> 
> > Why does openvpn need to read homedir?
> 
> Is it because the OpenVPN configuration file references files (keys,
> certificates, etc.) in a home directory?

No, all the openvpn configuration stuff was where it was supposed to be (as
desired by /etc/init.d/openvpn): /etc/openvpn. I used "sudo service openvpn ..."
to start/stop openvpn.
Comment 7 Daniel Walsh 2007-07-16 14:37:32 EDT
Fixes for this should be available in

selinux-policy-2.6.4-28
Comment 8 Daniel Walsh 2007-08-22 10:09:47 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.