Bug 308981 - openvpn-status.log can't be made writable.
Summary: openvpn-status.log can't be made writable.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-27 13:36 UTC by Tomasz Torcz
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: 48
Clone Of:
Environment:
Last Closed: 2007-11-06 16:41:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tomasz Torcz 2007-09-27 13:36:07 UTC 
From SELinux Trobuleshoot:

#v+
Source Context:  	system_u:system_r:openvpn_t
Target Context:  	system_u:object_r:var_log_t
Target Objects:  	/var/log/openvpn-status.log [ file ]
Affected RPM Packages:  	openvpn-2.1-0.19.rc4.fc7 [application]
Policy RPM:  	selinux-policy-2.6.4-42.fc7
Selinux Enabled:  	True
Policy Type:  	targeted
MLS Enabled:  	True
Enforcing Mode:  	Permissive
Plugin Name:  	plugins.mislabeled_file
Host Name:  	s1.crocom.com.pl
Platform:  	Linux s1.crocom.com.pl 2.6.22.5-76.fc7 #1 SMP Thu Aug 30 13:08:59
EDT 2007 x86_64 x86_64
Alert Count:  	55
First Seen:  	Tue Jun 5 14:27:41 2007
Last Seen:  	Thu Sep 27 15:14:55 2007
Local ID:  	c4edc7dc-117d-403d-b953-9f42edab72e5
Line Numbers:  	

Raw Audit Messages :

avc: denied { write } for comm="openvpn" dev=sdb1 egid=99 euid=99
exe="/usr/sbin/openvpn" exit=20 fsgid=99 fsuid=99 gid=99 items=0
name="openvpn-status.log" path="/var/log/openvpn-status.log" pid=1896
scontext=system_u:system_r:openvpn_t:s0 sgid=99
subj=system_u:system_r:openvpn_t:s0 suid=99 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=99 
#v-

Recommended action is: You can attempt to fix file context by executing
restorecon -v /var/log/openvpn-status.log

But context do not change:
# restorecon -v /var/log/openvpn-status.log
# ls -lZ /var/log/openvpn-status.log
-rw-------  root root system_u:object_r:var_log_t      /var/log/openvpn-status.log
Comment 1 Daniel Walsh 2007-10-09 20:16:39 UTC 
Strange in rawhide these log files are being written to /var/log/openvpn/*
Which is labeled openvn_log_t which the domain can write to.

If you change the context of the log file to openvpn_log_t, it should work.

# semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log

Is this a standard openvpn package from fedora?

I will add context for this in selinux-policy-2.6.4-48.fc7
Comment 2 Tomasz Torcz 2007-10-31 15:00:17 UTC 
# LC_ALL=C semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
libsepol.context_from_record: type openvpn_log_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context system_u:object_r:openvpn_log_t:s0
specified for /var/log/openvpn-status.log [all files]
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for /var/log/openvpn-status.log

# rpm -q openvpn
openvpn-2.1-0.19.rc4.fc7

# rpm -q selinux-policy
selinux-policy-2.6.4-48.fc7
Comment 3 Daniel Walsh 2007-11-01 17:47:49 UTC 
Sorry my mistake.  Should have been openvpn_var_log_t

# semanage fcontext -a -t openvpn_var_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log
Comment 4 Tomasz Torcz 2007-11-06 11:55:33 UTC 
It works now. No emails from sealertd since yesterday. Thank you.
Note You need to log in before you can comment on or make changes to this bug.