Bug 243949 - NetworkManager-openvpn has a selinux policy bug that impedes it to work
Summary: NetworkManager-openvpn has a selinux policy bug that impedes it to work
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn
Version: 7
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Tim Niemueller
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-12 21:58 UTC by Linux Now
Modified: 2008-08-21 05:06 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-02-08 11:43:18 UTC


Attachments (Terms of Use)
all selinux problems I encountered (25.80 KB, application/octet-stream)
2007-07-13 11:56 UTC, Christoph Höger
no flags Details
generated output (1.56 KB, text/plain)
2007-07-13 11:57 UTC, Christoph Höger
no flags Details
selinux module (3.69 KB, text/plain)
2007-07-13 11:58 UTC, Christoph Höger
no flags Details

Description Linux Now 2007-06-12 21:58:28 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.setup an openvpn connection using NetworkManager-openvpn plugin
2.start it
  
Actual results:
selinux error in the last step

Jun 12 23:49:14 pau64 kernel: audit(1181684954.113:31): avc:  denied  { execute
} for  pid=22913 comm="nm-openvpn-serv" name="openvpn" dev=dm-0 ino=368376
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:openvpn_exec_t:s0 tclass=file

Using the selinux trouble shooting setroubleshoot, this is the detailed report:

SELinux is preventing nm-openvpn-serv (NetworkManager_t) "execute" to openvpn
(openvpn_exec_t)

Detailed Description
SELinux denied access requested by nm-openvpn-serv. It is not expected that this
access is required by nm-openvpn-serv and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.Allowing AccessSometimes
labeling problems can cause SELinux denials. You could try to restore the
default system file context for openvpn, restorecon -v openvpn If this does not
work, there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report against this package

Additional Information

Source Context:  system_u:system_r:NetworkManager_t
Target Context:  system_u:object_r:openvpn_exec_t
Target Objects:  openvpn [ file ]
Affected RPM Packages:  
Policy RPM:   
Selinux Enabled:   
Policy Type:   
MLS Enabled:   
Enforcing Mode:   
Plugin Name:  plugins.catchall_file
Host Name:   
Platform:   
Alert Count:  1
First Seen:  dt 12 jun 2007 23:37:43 CEST
Last Seen:  dt 12 jun 2007 23:37:43 CEST
Local ID:  f414b04e-bdc5-48d6-ab2a-f6a23e1ecd67
Line Numbers:  1


Expected results:
openvpn connection

Additional info:

Comment 1 Steven Pritchard 2007-06-12 22:16:21 UTC
This bug should probably be against selinux-policy.

Comment 2 Daniel Walsh 2007-06-14 13:07:06 UTC
Fixed in selinux-policy-2.6.4-15

Comment 3 Tim Niemueller 2007-06-15 21:09:36 UTC
Did someone try this so that I can close this bug?

Comment 4 Pau Aliagas 2007-06-18 06:23:32 UTC
I opened the bug but cannot find it in testing to try it.

Comment 5 Christoph Höger 2007-06-18 20:57:21 UTC
This is probably the same bug as
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214556
but ther seems to be no updated package on f7-updates-testing

Comment 6 Christoph Höger 2007-07-01 21:11:52 UTC
Hi,

the latest update seems to fix the original bug, but still avoids usage. In my
case, SELinux denied access on the certs and keys for openvpn.

The message is:

Jul  1 23:08:53 choeger4 kernel: audit(1183324133.720:6): avc:  denied  { search
} for  pid=3903 comm="openvpn" name="home" dev=sda6 ino=3924481
scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Jul  1 23:08:53 choeger4 nm-openvpn[3903]: Cannot load certificate file
/home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission
denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib


Comment 7 Pau Aliagas 2007-07-01 22:38:49 UTC
I don't get any selinux error now, but I have the same problem with the
certificate file read permissions:

Jul  2 00:34:47 pau64 nm-openvpn[24790]: Cannot load certificate file
/home/pau/openvpn/pau_openvpn.crt: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system
lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib


Comment 8 Daniel Walsh 2007-07-02 01:42:20 UTC
Where are the certificate files stored?

Comment 9 Pau Aliagas 2007-07-02 07:13:33 UTC
In my home, see the posted log: /home/pau/openvpn/pau_openvpn.crt

Comment 10 Daniel Walsh 2007-07-02 16:47:48 UTC
Added boolean to allow openvpn to read homedir.

selinux-policy-2.6.4-26

setsebool -P openvpn_enable_homedirs=1


Comment 11 Pau Aliagas 2007-07-02 18:18:48 UTC
That is fine, but, if NetworkManager is personal, not global, shouldn't this be
the default option? Otherwise you would use the network config tools to setup
openvpn. Nobody will have the certificates in a common directory if they are to
be used by NM.

I'll give it a shot tonight to see if it works :)

Comment 12 Pau Aliagas 2007-07-02 22:37:43 UTC
In updates-testing we have selinux-policy-2.6.4-25.fc7
In updates we have selinux-policy-2.6.4-21.fc7.

Can you please push selinux-policy-2.6.4-26 to testing?

Comment 13 Christoph Höger 2007-07-12 19:23:52 UTC
Hi,

selinux-policy-2.6.4-26 still doesn't fix the bug. Even with
openvpn_enable_homedirs=1 i got:

tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
Jul 12 21:17:12 choeger4 kernel: audit(1184267832.707:11): avc:  denied  {
dac_read_search } for  pid=3895 comm="openvpn" capability=2
scontext=system_u:system_r:openvpn_t:
s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Cannot load certificate file
/home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission
denied: error:200740
02:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Exiting


Comment 14 Daniel Walsh 2007-07-13 11:04:51 UTC
If you add this rule using audit2allow

greop openvpn /var/log/audit/audit.log | audit2allow -M myopenvpn 
semodule -i myopenvpn 

Does it work?

Comment 15 Daniel Walsh 2007-07-13 11:06:10 UTC
Added this fix to selinux-policy-2.6.4-28

Comment 16 Christoph Höger 2007-07-13 11:56:16 UTC
Created attachment 159156 [details]
all selinux problems I encountered

Comment 17 Christoph Höger 2007-07-13 11:57:36 UTC
Created attachment 159157 [details]
generated output

Comment 18 Christoph Höger 2007-07-13 11:58:11 UTC
Created attachment 159158 [details]
selinux module

Comment 19 Christoph Höger 2007-07-13 11:59:37 UTC
I needed to repeat the steps some times to get it to work finaly. I hope my
attachments will help you.

Comment 20 Daniel Walsh 2007-07-13 15:34:21 UTC
Fixed in selinux-policy-2.6.4-28

Comment 21 Pau Aliagas 2008-02-08 11:53:51 UTC
Fixed for me too.

Comment 22 barry gould 2008-08-19 08:19:59 UTC
I'm having similar problems in Fedora 9 with SELinux, NetworkManager and OpenVPN

Dunno if it needs to be an new bug, or reopened.

Thanks,
Barry


Summary:

SELinux is preventing openvpn (openvpn_t) "search" to / (home_root_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /,

restorecon -v '/'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                / [ dir ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          foo.bar.net
Source RPM Packages           openvpn-2.1-0.26.rc8.fc9
Target RPM Packages           filesystem-2.4.13-1.fc9
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     foo.bar.net
Platform                      Linux foo.bar.net
                              2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11
                              EDT 2008 i686 i686
Alert Count                   3
First Seen                    Tue 19 Aug 2008 12:18:00 AM PDT
Last Seen                     Tue 19 Aug 2008 12:54:42 AM PDT
Local ID                      e340c6c6-fb80-44ca-b508-e32a49e7d058
Line Numbers                  

Raw Audit Messages            

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="/" dev=dm-1 ino=2 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="barry" dev=dm-1 ino=606209 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="Download" dev=dm-1 ino=606235 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { read } for  pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

Comment 23 Christoph Höger 2008-08-19 10:49:35 UTC
I do not know why your / directory has home_root_t context and I also do not know why you store openvpn files there. 
But I would suggest to enable the selinux bool openvpn_enable_homedirs and put your openvpn files in your home dir as you probably want to enable the connection as a normal user.

regards

christoph

Comment 24 barry gould 2008-08-20 07:41:57 UTC
My OpenVPN connection files ARE in my home directory, which is not part of the / partition.
However, I still had to use 'sudo' to run the OpenVPN command-line version, as I got a permission denied otherwise.
But NM gets the SELinux error, with the files in my home dir.

Thanks,
Barry

Comment 25 Daniel Walsh 2008-08-20 11:14:56 UTC
If you run your avc's through audit2why

avc:  denied  { read } for  pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

	Was caused by:
	The boolean openvpn_enable_homedirs was set incorrectly. 
	Description:
	Allow openvpn service access to users home directories

	Allow access by executing:
	# setsebool -P openvpn_enable_homedirs 1


Did you turn on the boolean?

This is also a Fedora 7 bugzilla, please open a new one if you believe you have a new problem.

Comment 26 barry gould 2008-08-21 05:06:24 UTC
Sorry, I had missed that.
Moving files to /etc/openvpn; it works now.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.