Bug 308981 - openvpn-status.log can't be made writable.
openvpn-status.log can't be made writable.
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-27 09:36 EDT by Tomasz Torcz
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 48
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-06 11:41:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Torcz 2007-09-27 09:36:07 EDT
From SELinux Trobuleshoot:

Source Context:  	system_u:system_r:openvpn_t
Target Context:  	system_u:object_r:var_log_t
Target Objects:  	/var/log/openvpn-status.log [ file ]
Affected RPM Packages:  	openvpn-2.1-0.19.rc4.fc7 [application]
Policy RPM:  	selinux-policy-2.6.4-42.fc7
Selinux Enabled:  	True
Policy Type:  	targeted
MLS Enabled:  	True
Enforcing Mode:  	Permissive
Plugin Name:  	plugins.mislabeled_file
Host Name:  	s1.crocom.com.pl
Platform:  	Linux s1.crocom.com.pl #1 SMP Thu Aug 30 13:08:59
EDT 2007 x86_64 x86_64
Alert Count:  	55
First Seen:  	Tue Jun 5 14:27:41 2007
Last Seen:  	Thu Sep 27 15:14:55 2007
Local ID:  	c4edc7dc-117d-403d-b953-9f42edab72e5
Line Numbers:  	

Raw Audit Messages :

avc: denied { write } for comm="openvpn" dev=sdb1 egid=99 euid=99
exe="/usr/sbin/openvpn" exit=20 fsgid=99 fsuid=99 gid=99 items=0
name="openvpn-status.log" path="/var/log/openvpn-status.log" pid=1896
scontext=system_u:system_r:openvpn_t:s0 sgid=99
subj=system_u:system_r:openvpn_t:s0 suid=99 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=99 

Recommended action is: You can attempt to fix file context by executing
restorecon -v /var/log/openvpn-status.log

But context do not change:
# restorecon -v /var/log/openvpn-status.log
# ls -lZ /var/log/openvpn-status.log
-rw-------  root root system_u:object_r:var_log_t      /var/log/openvpn-status.log
Comment 1 Daniel Walsh 2007-10-09 16:16:39 EDT
Strange in rawhide these log files are being written to /var/log/openvpn/*
Which is labeled openvn_log_t which the domain can write to.

If you change the context of the log file to openvpn_log_t, it should work.

# semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log

Is this a standard openvpn package from fedora?

I will add context for this in selinux-policy-2.6.4-48.fc7
Comment 2 Tomasz Torcz 2007-10-31 11:00:17 EDT
# LC_ALL=C semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
libsepol.context_from_record: type openvpn_log_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context system_u:object_r:openvpn_log_t:s0
specified for /var/log/openvpn-status.log [all files]
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for /var/log/openvpn-status.log

# rpm -q openvpn

# rpm -q selinux-policy
Comment 3 Daniel Walsh 2007-11-01 13:47:49 EDT
Sorry my mistake.  Should have been openvpn_var_log_t

# semanage fcontext -a -t openvpn_var_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log

Comment 4 Tomasz Torcz 2007-11-06 06:55:33 EST
It works now. No emails from sealertd since yesterday. Thank you.

Note You need to log in before you can comment on or make changes to this bug.