Bug 244302 - selinux blocking openvpn startup
selinux blocking openvpn startup
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: openvpn (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Steven Pritchard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 17:07 EDT by Malcolm Amir Hussain-Gambles
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-25 00:09:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
sealert output (2.35 KB, text/plain)
2007-12-20 10:32 EST, Mika Silander
no flags Details

  None (edit)
Description Malcolm Amir Hussain-Gambles 2007-06-14 17:07:58 EDT
Description of problem:
Selinux is blocking startup of openvpn.. message in logs...
Jun 14 21:44:36 malcolm setroubleshoot:      SELinux is preventing
/usr/sbin/openvpn (openvpn_t) "search" to /var/run/openvpn/server.pid
(openvpn_var_run_t).      For complete SELinux messages. run sealert -l
cc8ca0d1-b321-41c3-879f-21d75cdc77ad

seaudit...

Source Context                user_u:system_r:openvpn_t
Target Context                system_u:object_r:openvpn_var_run_t
Target Objects                /var/run/openvpn/server.pid [ dir ]
Affected RPM Packages         openvpn-2.1-0.19.rc4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     malcolm.saafinternational.com
Platform                      Linux malcolm.saafinternational.com
                              2.6.21-1.3149.fc7 #1 SMP Fri May 11 11:30:39 EDT
                              2007 x86_64 x86_64
Alert Count                   4
First Seen                    Thu Jun 14 21:44:34 2007
Last Seen                     Thu Jun 14 21:48:27 2007
Local ID                      cc8ca0d1-b321-41c3-879f-21d75cdc77ad
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="openvpn" cwd="/etc/openvpn" dev=md1 egid=0
euid=0 exe="/usr/sbin/openvpn" exit=-13 fsgid=0 fsuid=0 gid=0 item=0 items=1
name="openvpn" obj=system_u:object_r:etc_t:s0 path="/var/run/openvpn/server.pid"
pid=10145 scontext=user_u:system_r:openvpn_t:s0 sgid=0
subj=user_u:system_r:openvpn_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:openvpn_var_run_t:s0 tty=pts1 uid=0



Version-Release number of selected component (if applicable):
2.1-0.19.rc4.fc7

How reproducible:
Always

Steps to Reproduce:
1. use server.conf as in example
2. start openvpn
3.
  
Actual results: openvpn fails to start


Expected results: it should start


Additional info:
Comment 1 Steven Pritchard 2007-12-06 14:32:11 EST
Have you tried this recently (with updates installed)?  That should work.
Comment 2 Mika Silander 2007-12-20 10:32:21 EST
Created attachment 290159 [details]
sealert output
Comment 3 Mika Silander 2007-12-20 10:35:36 EST
See attachment of earlier comment: SELinux policy prevents openvpn startup
script from writing to openvpn-status.log. RPMs of interest:

libselinux-2.0.14-10.fc7
selinux-policy-targeted-2.6.4-61.fc7
selinux-policy-2.6.4-61.fc7
libselinux-python-2.0.14-10.fc7
selinux-policy-devel-2.6.4-61.fc7
libselinux-devel-2.0.14-10.fc7
openvpn-2.1-0.19.rc4.fc7
Comment 4 Christoph Höger 2008-01-09 09:06:00 EST
Hi,

currently I have the following issue:

my cert file is in ~/cert 

openvpn cannot read it, because it wants to "search" on /home (home_root_t)

I assume that this access is unneccessary and blocked by selinux policy for a
reason.

Is there a fix?
Comment 5 Brian Powell 2008-04-25 00:09:14 EDT
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.

Note You need to log in before you can comment on or make changes to this bug.