This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 478646 - OpenVPN fails to start due to SELinux denying access to liblzo2.so.2 via symlink
OpenVPN fails to start due to SELinux denying access to liblzo2.so.2 via symlink
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-02 14:06 EST by Thomas Ellis
Modified: 2009-01-04 12:47 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-04 12:47:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Ellis 2009-01-02 14:06:07 EST
Description of problem:
OpenVPN fails to start on Fedora 10 as it cannot access the library liblzo2.so.2, part of lzo-2.03-1.fc10.i386.

type=AVC msg=audit(1230918614.546:2951): avc:  denied  { read } for  pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco
ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file

The library is actually a symlink to the real library and I believe this is why the default targeted policy is denying access to the library.

[root@viper ~]# rpm -qf /usr/lib/liblzo2.so.2
lzo-2.03-1.fc10.i386

[root@viper ~]# ls -la /usr/lib/liblzo2.so.2
lrwxrwxrwx 1 root root 16 2008-12-07 22:47 /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0

I believe OpenVPN uses this library for link compression capabilities.

My /etc/openvpn/client.conf (and server side also) have:
comp-lzo

Version-Release number of selected component (if applicable):

[root@viper ~]# cat /etc/sysconfig/selinux | grep SELINUXTYPE
# SELINUXTYPE= type of policy in use. Possible values are:
SELINUXTYPE=targeted

[root@viper ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.5.13-34.fc10.noarch

[root@viper ~]# rpm -q openvpn
openvpn-2.1-0.29.rc15.fc10.i386

[root@viper ~]# uname -a
Linux viper 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 i386 GNU/Linux


How reproducible:
Everytime you start OpenVPN.

Steps to Reproduce:
1. Install and update f10 with SELinux in enforcing mode with a targeted policy
2. Install and configure OpenVPN
3. 'service openvpn start' and observe the auditd and setroubleshootd messages
  
Actual results:
The SELinux policy denies openvpn access to the library through the symlink:

type=AVC msg=audit(1230918614.546:2951): avc:  denied  { read } for  pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco
ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file

Expected results:
The default targeted SELinux policy should allow OpenVPN access to the libraries it requires and OpenVPN should start successfully.

Additional Info:

I worked around the issue by creating a local policy addition:
--
module local 1.0;

require {
        type openvpn_t;
        class lnk_file read;
}

#============= openvpn_t ==============
allow openvpn_t usr_t:lnk_file read;
--

If you need any more info let me know, always happy to help.
Comment 1 Daniel Walsh 2009-01-04 12:47:01 EST
This looks like it might be a labeling problem.

restorecon -R -v /usr/lib

This link should be labeled lib_t not usr_t.

Note You need to log in before you can comment on or make changes to this bug.