Bug 243949 - NetworkManager-openvpn has a selinux policy bug that impedes it to work
NetworkManager-openvpn has a selinux policy bug that impedes it to work
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Tim Niemueller
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-12 17:58 EDT by Linux Now
Modified: 2008-08-21 01:06 EDT (History)
5 users (show)

See Also:
Fixed In Version: 2.6.4-28
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-08 06:43:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
all selinux problems I encountered (25.80 KB, application/octet-stream)
2007-07-13 07:56 EDT, Christoph Höger
no flags Details
generated output (1.56 KB, text/plain)
2007-07-13 07:57 EDT, Christoph Höger
no flags Details
selinux module (3.69 KB, text/plain)
2007-07-13 07:58 EDT, Christoph Höger
no flags Details

  None (edit)
Description Linux Now 2007-06-12 17:58:28 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.setup an openvpn connection using NetworkManager-openvpn plugin
2.start it
  
Actual results:
selinux error in the last step

Jun 12 23:49:14 pau64 kernel: audit(1181684954.113:31): avc:  denied  { execute
} for  pid=22913 comm="nm-openvpn-serv" name="openvpn" dev=dm-0 ino=368376
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:openvpn_exec_t:s0 tclass=file

Using the selinux trouble shooting setroubleshoot, this is the detailed report:

SELinux is preventing nm-openvpn-serv (NetworkManager_t) "execute" to openvpn
(openvpn_exec_t)

Detailed Description
SELinux denied access requested by nm-openvpn-serv. It is not expected that this
access is required by nm-openvpn-serv and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.Allowing AccessSometimes
labeling problems can cause SELinux denials. You could try to restore the
default system file context for openvpn, restorecon -v openvpn If this does not
work, there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report against this package

Additional Information

Source Context:  system_u:system_r:NetworkManager_t
Target Context:  system_u:object_r:openvpn_exec_t
Target Objects:  openvpn [ file ]
Affected RPM Packages:  
Policy RPM:   
Selinux Enabled:   
Policy Type:   
MLS Enabled:   
Enforcing Mode:   
Plugin Name:  plugins.catchall_file
Host Name:   
Platform:   
Alert Count:  1
First Seen:  dt 12 jun 2007 23:37:43 CEST
Last Seen:  dt 12 jun 2007 23:37:43 CEST
Local ID:  f414b04e-bdc5-48d6-ab2a-f6a23e1ecd67
Line Numbers:  1


Expected results:
openvpn connection

Additional info:
Comment 1 Steven Pritchard 2007-06-12 18:16:21 EDT
This bug should probably be against selinux-policy.
Comment 2 Daniel Walsh 2007-06-14 09:07:06 EDT
Fixed in selinux-policy-2.6.4-15
Comment 3 Tim Niemueller 2007-06-15 17:09:36 EDT
Did someone try this so that I can close this bug?
Comment 4 Pau Aliagas 2007-06-18 02:23:32 EDT
I opened the bug but cannot find it in testing to try it.
Comment 5 Christoph Höger 2007-06-18 16:57:21 EDT
This is probably the same bug as
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214556
but ther seems to be no updated package on f7-updates-testing
Comment 6 Christoph Höger 2007-07-01 17:11:52 EDT
Hi,

the latest update seems to fix the original bug, but still avoids usage. In my
case, SELinux denied access on the certs and keys for openvpn.

The message is:

Jul  1 23:08:53 choeger4 kernel: audit(1183324133.720:6): avc:  denied  { search
} for  pid=3903 comm="openvpn" name="home" dev=sda6 ino=3924481
scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Jul  1 23:08:53 choeger4 nm-openvpn[3903]: Cannot load certificate file
/home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission
denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
Comment 7 Pau Aliagas 2007-07-01 18:38:49 EDT
I don't get any selinux error now, but I have the same problem with the
certificate file read permissions:

Jul  2 00:34:47 pau64 nm-openvpn[24790]: Cannot load certificate file
/home/pau/openvpn/pau_openvpn.crt: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system
lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Comment 8 Daniel Walsh 2007-07-01 21:42:20 EDT
Where are the certificate files stored?
Comment 9 Pau Aliagas 2007-07-02 03:13:33 EDT
In my home, see the posted log: /home/pau/openvpn/pau_openvpn.crt
Comment 10 Daniel Walsh 2007-07-02 12:47:48 EDT
Added boolean to allow openvpn to read homedir.

selinux-policy-2.6.4-26

setsebool -P openvpn_enable_homedirs=1
Comment 11 Pau Aliagas 2007-07-02 14:18:48 EDT
That is fine, but, if NetworkManager is personal, not global, shouldn't this be
the default option? Otherwise you would use the network config tools to setup
openvpn. Nobody will have the certificates in a common directory if they are to
be used by NM.

I'll give it a shot tonight to see if it works :)
Comment 12 Pau Aliagas 2007-07-02 18:37:43 EDT
In updates-testing we have selinux-policy-2.6.4-25.fc7
In updates we have selinux-policy-2.6.4-21.fc7.

Can you please push selinux-policy-2.6.4-26 to testing?
Comment 13 Christoph Höger 2007-07-12 15:23:52 EDT
Hi,

selinux-policy-2.6.4-26 still doesn't fix the bug. Even with
openvpn_enable_homedirs=1 i got:

tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
Jul 12 21:17:12 choeger4 kernel: audit(1184267832.707:11): avc:  denied  {
dac_read_search } for  pid=3895 comm="openvpn" capability=2
scontext=system_u:system_r:openvpn_t:
s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Cannot load certificate file
/home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission
denied: error:200740
02:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Exiting
Comment 14 Daniel Walsh 2007-07-13 07:04:51 EDT
If you add this rule using audit2allow

greop openvpn /var/log/audit/audit.log | audit2allow -M myopenvpn 
semodule -i myopenvpn 

Does it work?
Comment 15 Daniel Walsh 2007-07-13 07:06:10 EDT
Added this fix to selinux-policy-2.6.4-28
Comment 16 Christoph Höger 2007-07-13 07:56:16 EDT
Created attachment 159156 [details]
all selinux problems I encountered
Comment 17 Christoph Höger 2007-07-13 07:57:36 EDT
Created attachment 159157 [details]
generated output
Comment 18 Christoph Höger 2007-07-13 07:58:11 EDT
Created attachment 159158 [details]
selinux module
Comment 19 Christoph Höger 2007-07-13 07:59:37 EDT
I needed to repeat the steps some times to get it to work finaly. I hope my
attachments will help you.
Comment 20 Daniel Walsh 2007-07-13 11:34:21 EDT
Fixed in selinux-policy-2.6.4-28
Comment 21 Pau Aliagas 2008-02-08 06:53:51 EST
Fixed for me too.
Comment 22 barry gould 2008-08-19 04:19:59 EDT
I'm having similar problems in Fedora 9 with SELinux, NetworkManager and OpenVPN

Dunno if it needs to be an new bug, or reopened.

Thanks,
Barry


Summary:

SELinux is preventing openvpn (openvpn_t) "search" to / (home_root_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /,

restorecon -v '/'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                / [ dir ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          foo.bar.net
Source RPM Packages           openvpn-2.1-0.26.rc8.fc9
Target RPM Packages           filesystem-2.4.13-1.fc9
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     foo.bar.net
Platform                      Linux foo.bar.net
                              2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11
                              EDT 2008 i686 i686
Alert Count                   3
First Seen                    Tue 19 Aug 2008 12:18:00 AM PDT
Last Seen                     Tue 19 Aug 2008 12:54:42 AM PDT
Local ID                      e340c6c6-fb80-44ca-b508-e32a49e7d058
Line Numbers                  

Raw Audit Messages            

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="/" dev=dm-1 ino=2 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="barry" dev=dm-1 ino=606209 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { search } for  pid=441 comm="openvpn" name="Download" dev=dm-1 ino=606235 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc:  denied  { read } for  pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
Comment 23 Christoph Höger 2008-08-19 06:49:35 EDT
I do not know why your / directory has home_root_t context and I also do not know why you store openvpn files there. 
But I would suggest to enable the selinux bool openvpn_enable_homedirs and put your openvpn files in your home dir as you probably want to enable the connection as a normal user.

regards

christoph
Comment 24 barry gould 2008-08-20 03:41:57 EDT
My OpenVPN connection files ARE in my home directory, which is not part of the / partition.
However, I still had to use 'sudo' to run the OpenVPN command-line version, as I got a permission denied otherwise.
But NM gets the SELinux error, with the files in my home dir.

Thanks,
Barry
Comment 25 Daniel Walsh 2008-08-20 07:14:56 EDT
If you run your avc's through audit2why

avc:  denied  { read } for  pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

	Was caused by:
	The boolean openvpn_enable_homedirs was set incorrectly. 
	Description:
	Allow openvpn service access to users home directories

	Allow access by executing:
	# setsebool -P openvpn_enable_homedirs 1


Did you turn on the boolean?

This is also a Fedora 7 bugzilla, please open a new one if you believe you have a new problem.
Comment 26 barry gould 2008-08-21 01:06:24 EDT
Sorry, I had missed that.
Moving files to /etc/openvpn; it works now.

Thanks!

Note You need to log in before you can comment on or make changes to this bug.