478646 – OpenVPN fails to start due to SELinux denying access to liblzo2.so.2 via symlink

Bug 478646 - OpenVPN fails to start due to SELinux denying access to liblzo2.so.2 via symlink

Summary: OpenVPN fails to start due to SELinux denying access to liblzo2.so.2 via symlink

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	10
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-01-02 19:06 UTC by Thomas Ellis
Modified:	2009-01-04 17:47 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-04 17:47:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Thomas Ellis 2009-01-02 19:06:07 UTC

Description of problem:
OpenVPN fails to start on Fedora 10 as it cannot access the library liblzo2.so.2, part of lzo-2.03-1.fc10.i386.

type=AVC msg=audit(1230918614.546:2951): avc:  denied  { read } for  pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco
ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file

The library is actually a symlink to the real library and I believe this is why the default targeted policy is denying access to the library.

[root@viper ~]# rpm -qf /usr/lib/liblzo2.so.2
lzo-2.03-1.fc10.i386

[root@viper ~]# ls -la /usr/lib/liblzo2.so.2
lrwxrwxrwx 1 root root 16 2008-12-07 22:47 /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0

I believe OpenVPN uses this library for link compression capabilities.

My /etc/openvpn/client.conf (and server side also) have:
comp-lzo

Version-Release number of selected component (if applicable):

[root@viper ~]# cat /etc/sysconfig/selinux | grep SELINUXTYPE
# SELINUXTYPE= type of policy in use. Possible values are:
SELINUXTYPE=targeted

[root@viper ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.5.13-34.fc10.noarch

[root@viper ~]# rpm -q openvpn
openvpn-2.1-0.29.rc15.fc10.i386

[root@viper ~]# uname -a
Linux viper 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 i386 GNU/Linux


How reproducible:
Everytime you start OpenVPN.

Steps to Reproduce:
1. Install and update f10 with SELinux in enforcing mode with a targeted policy
2. Install and configure OpenVPN
3. 'service openvpn start' and observe the auditd and setroubleshootd messages
  
Actual results:
The SELinux policy denies openvpn access to the library through the symlink:

type=AVC msg=audit(1230918614.546:2951): avc:  denied  { read } for  pid=15127 comm="openvpn" name="liblzo2.so.2" dev=dm-3 ino=514620 sco
ntext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file

Expected results:
The default targeted SELinux policy should allow OpenVPN access to the libraries it requires and OpenVPN should start successfully.

Additional Info:

I worked around the issue by creating a local policy addition:
--
module local 1.0;

require {
        type openvpn_t;
        class lnk_file read;
}

#============= openvpn_t ==============
allow openvpn_t usr_t:lnk_file read;
--

If you need any more info let me know, always happy to help.

Comment 1 Daniel Walsh 2009-01-04 17:47:01 UTC

This looks like it might be a labeling problem.

restorecon -R -v /usr/lib

This link should be labeled lib_t not usr_t.

Note You need to log in before you can comment on or make changes to this bug.