Description of problem: OpenVPN fails to start on Fedora 10 as it cannot access the library liblzo2.so.2, part of lzo-2.03-1.fc10.i386. type=AVC msg=audit(1230918614.546:2951): avc: denied { read } for pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file The library is actually a symlink to the real library and I believe this is why the default targeted policy is denying access to the library. [root@viper ~]# rpm -qf /usr/lib/liblzo2.so.2 lzo-2.03-1.fc10.i386 [root@viper ~]# ls -la /usr/lib/liblzo2.so.2 lrwxrwxrwx 1 root root 16 2008-12-07 22:47 /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0 I believe OpenVPN uses this library for link compression capabilities. My /etc/openvpn/client.conf (and server side also) have: comp-lzo Version-Release number of selected component (if applicable): [root@viper ~]# cat /etc/sysconfig/selinux | grep SELINUXTYPE # SELINUXTYPE= type of policy in use. Possible values are: SELINUXTYPE=targeted [root@viper ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.5.13-34.fc10.noarch [root@viper ~]# rpm -q openvpn openvpn-2.1-0.29.rc15.fc10.i386 [root@viper ~]# uname -a Linux viper 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 i386 GNU/Linux How reproducible: Everytime you start OpenVPN. Steps to Reproduce: 1. Install and update f10 with SELinux in enforcing mode with a targeted policy 2. Install and configure OpenVPN 3. 'service openvpn start' and observe the auditd and setroubleshootd messages Actual results: The SELinux policy denies openvpn access to the library through the symlink: type=AVC msg=audit(1230918614.546:2951): avc: denied { read } for pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file Expected results: The default targeted SELinux policy should allow OpenVPN access to the libraries it requires and OpenVPN should start successfully. Additional Info: I worked around the issue by creating a local policy addition: -- module local 1.0; require { type openvpn_t; class lnk_file read; } #============= openvpn_t ============== allow openvpn_t usr_t:lnk_file read; -- If you need any more info let me know, always happy to help.
This looks like it might be a labeling problem. restorecon -R -v /usr/lib This link should be labeled lib_t not usr_t.