Bug 244302 - selinux blocking openvpn startup
Summary: selinux blocking openvpn startup
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steven Pritchard
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-14 21:07 UTC by Malcolm Amir Hussain-Gambles
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2008-04-25 04:09:14 UTC

Attachments (Terms of Use)
sealert output (2.35 KB, text/plain)
2007-12-20 15:32 UTC, Mika Silander
no flags Details

Description Malcolm Amir Hussain-Gambles 2007-06-14 21:07:58 UTC
Description of problem:
Selinux is blocking startup of openvpn.. message in logs...
Jun 14 21:44:36 malcolm setroubleshoot:      SELinux is preventing
/usr/sbin/openvpn (openvpn_t) "search" to /var/run/openvpn/server.pid
(openvpn_var_run_t).      For complete SELinux messages. run sealert -l


Source Context                user_u:system_r:openvpn_t
Target Context                system_u:object_r:openvpn_var_run_t
Target Objects                /var/run/openvpn/server.pid [ dir ]
Affected RPM Packages         openvpn-2.1-0.19.rc4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     malcolm.saafinternational.com
Platform                      Linux malcolm.saafinternational.com
                              2.6.21-1.3149.fc7 #1 SMP Fri May 11 11:30:39 EDT
                              2007 x86_64 x86_64
Alert Count                   4
First Seen                    Thu Jun 14 21:44:34 2007
Last Seen                     Thu Jun 14 21:48:27 2007
Local ID                      cc8ca0d1-b321-41c3-879f-21d75cdc77ad
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="openvpn" cwd="/etc/openvpn" dev=md1 egid=0
euid=0 exe="/usr/sbin/openvpn" exit=-13 fsgid=0 fsuid=0 gid=0 item=0 items=1
name="openvpn" obj=system_u:object_r:etc_t:s0 path="/var/run/openvpn/server.pid"
pid=10145 scontext=user_u:system_r:openvpn_t:s0 sgid=0
subj=user_u:system_r:openvpn_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:openvpn_var_run_t:s0 tty=pts1 uid=0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use server.conf as in example
2. start openvpn
Actual results: openvpn fails to start

Expected results: it should start

Additional info:

Comment 1 Steven Pritchard 2007-12-06 19:32:11 UTC
Have you tried this recently (with updates installed)?  That should work.

Comment 2 Mika Silander 2007-12-20 15:32:21 UTC
Created attachment 290159 [details]
sealert output

Comment 3 Mika Silander 2007-12-20 15:35:36 UTC
See attachment of earlier comment: SELinux policy prevents openvpn startup
script from writing to openvpn-status.log. RPMs of interest:


Comment 4 Christoph Höger 2008-01-09 14:06:00 UTC

currently I have the following issue:

my cert file is in ~/cert 

openvpn cannot read it, because it wants to "search" on /home (home_root_t)

I assume that this access is unneccessary and blocked by selinux policy for a

Is there a fix?

Comment 5 Brian Powell 2008-04-25 04:09:14 UTC
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.

Note You need to log in before you can comment on or make changes to this bug.