Detailed Description: SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./ipp.txt, restorecon -v './ipp.txt' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:openvpn_t:s0 Target Context system_u:object_r:openvpn_etc_t:s0 Target Objects ./ipp.txt [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host thunder.christensenplace.us Source RPM Packages openvpn-2.1-0.26.rc8.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name thunder.christensenplace.us Platform Linux thunder.christensenplace.us 2.6.26.5-45.fc9.i686 #1 SMP Sat Sep 20 03:45:00 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 30 Oct 2008 11:10:17 PM EDT Last Seen Thu 30 Oct 2008 11:11:03 PM EDT Local ID 42fc5943-0569-400f-91e9-93b1279cec0c Line Numbers Raw Audit Messages host=thunder.christensenplace.us type=AVC msg=audit(1225422663.119:2170): avc: denied { write } for pid=29753 comm="openvpn" name="ipp.txt" dev=dm-4 ino=565082 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=file host=thunder.christensenplace.us type=SYSCALL msg=audit(1225422663.119:2170): arch=40000003 syscall=5 success=no exit=-13 a0=8a3bd5c a1=42 a2=180 a3=8a3bd01 items=0 ppid=29745 pid=29753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=287 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
I received this alert AFTER I performed the "restorecon -v './ipp.txt'".
Does openvpn actually need to write ipp.txt to be able to connect?
This was the error I received in my daily watch log. I'm not sure why openvpn would need read/write access to ipp.txt but that is one of the errors. I think the restorecon fixed the openvpn-status.log worked as I'm not receiving that error any longer. **Unmatched Entries** Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO +routines:BIO_new_file:system lib: 5 Time(s) Note: cannot open /etc/openvpn/ipp.txt for READ/WRITE: 5 Time(s) Note: cannot open openvpn-status.log for WRITE: 5 Time(s) Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf: 1 Time(s) Use --help for more information.: 1 Time(s)
Looks like ipp.txt is something openvpn needs to write to. # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt But this file should be in /var/run/openvpn if this is a temporary file or moved to /var/lib/openvpn/ Directory if it needs to survive a reboot. Not under the /etc directory which should be read/only. Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO +routines:BIO_new_file:system lib: 5 Time(s) Is this being caused by SELinux? What is this file? Does it need to be read/write?
Okay, I've gone rounds with this thing over the weekend. I changed the openvpn.conf file to point to /var/run/openvpn/ and moved all the files over there. I'm still getting slapped down by SELinux.
ipp.txt is the file that stores the IP addresses for the boxes that are connected so if the box disconnects and reconnects it gets the same IP (pseudo-static IP). The dh2048.pem one of the keys needed for encryption.
These are the current problems I'm seeing (since they may have changed since moving the files). Nov 12 09:20:50 thunder openvpn[26996]: OpenVPN 2.1_rc8 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 14 2008 Nov 12 09:20:50 thunder openvpn[26996]: Note: cannot open /var/run/openvpn/ipp.txt for READ/WRITE Nov 12 09:20:50 thunder openvpn[26996]: Cannot open /var/run/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib Nov 12 09:20:50 thunder openvpn[26996]: Exiting Nov 12 09:20:50 thunder setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn (openvpn_etc_t). For complete SELinux messages. run sealert -l 555df8ba-1e9b-4d50-bc98-0d73c53bd3cb Nov 12 09:20:50 thunder setroubleshoot: SELinux is preventing access to files with the default label, default_t. For complete SELinux messages. run sealert -l d39b6198-9d4f-46ea-9be5-635a9f6df75c It appears the problem MAY lie in the target context being labeled unconfined_u:object_r:default_t:s0 vice unconfined_u:system_r:openvpn_t:s0. I had relabeled before but will try again.
I can not see the output from the commands please attach the output.
Which commands? The log entries are generated when I attempt to start the openvpn service, which fails.
I need the output of sealert -l 555df8ba-1e9b-4d50-bc98-0d73c53bd3cb Or a copy of your /var/log/audit/audit.log default_t usually means you have created a new non standard / directory that does not have a label. So this gets labeled default_t. Confined domains are not allowed to access default_t files/directories. If you want to use a new / directory you need to setup the labeling correctly.
DUH! Yeah, I'm not awake yet. Here ya go. Summary: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn (openvpn_etc_t). Detailed Description: SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./openvpn, restorecon -v './openvpn' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:openvpn_t:s0 Target Context system_u:object_r:openvpn_etc_t:s0 Target Objects ./openvpn [ dir ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host thunder.christensenplace.us Source RPM Packages openvpn-2.1-0.26.rc8.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name thunder.christensenplace.us Platform Linux thunder.christensenplace.us 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 athlon Alert Count 1 First Seen Wed Nov 12 09:20:50 2008 Last Seen Wed Nov 12 09:20:50 2008 Local ID 555df8ba-1e9b-4d50-bc98-0d73c53bd3cb Line Numbers Raw Audit Messages host=thunder.christensenplace.us type=AVC msg=audit(1226499650.409:462): avc: denied { write } for pid=26996 comm="openvpn" name="openvpn" dev=dm-4 ino=269281 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=dir host=thunder.christensenplace.us type=SYSCALL msg=audit(1226499650.409:462): arch=40000003 syscall=5 success=no exit=-13 a0=9eedd74 a1=42 a2=180 a3=9eedd01 items=0 ppid=26988 pid=26996 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=55 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
Fixed in selinux-policy-3.3.1-109.fc9
Okay, I just upgraded to F10 x64 and it seems fixed for ipp.txt. I'm still having the same problem with openvpn-status.log that OpenVPN creates in /etc/openvpn/. I did try the "restorecon" as recommended in the below alert. Summary: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn-status.log (openvpn_etc_t). Detailed Description: SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./openvpn-status.log, restorecon -v './openvpn-status.log' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:openvpn_etc_t:s0 Target Objects ./openvpn-status.log [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host thunder Source RPM Packages openvpn-2.1-0.28.rc9.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name thunder Platform Linux thunder 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 Alert Count 10 First Seen Sat Dec 6 22:14:12 2008 Last Seen Sun Dec 7 09:58:04 2008 Local ID 51ebcfa1-c31a-4638-bb46-c98e569efb02 Line Numbers Raw Audit Messages node=thunder type=AVC msg=audit(1228661884.705:460): avc: denied { write } for pid=7424 comm="openvpn" name="openvpn-status.log" dev=sda3 ino=33214 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file node=thunder type=SYSCALL msg=audit(1228661884.705:460): arch=c000003e syscall=2 success=no exit=-13 a0=2094248 a1=241 a2=180 a3=30a296da70 items=0 ppid=7415 pid=7424 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=29 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)