Bug 558402 - SELinux is preventing /usr/sbin/openvpn "[open|lock|read]" access on /var/run/utmp
Summary: SELinux is preventing /usr/sbin/openvpn "[open|lock|read]" access on /var/run...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-25 08:45 UTC by Anthony Messina
Modified: 2010-07-06 17:09 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-06 17:09:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Anthony Messina 2010-01-25 08:45:42 UTC 
Using OpenVPN and the password module, I get the following SELinux denials for open, lock and read on /var/run/utmp:

node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2260): avc:  denied  { read } for  pid=1285 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2260): avc:  denied  { open } for  pid=1285 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1264407767.959:2260): arch=c000003e syscall=2 success=yes exit=5 a0=328e53d6dc a1=80000 a2=328e53d6dc a3=fffffffffffffa2b items=0 ppid=1 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)



node=chicago.messinet.com type=AVC msg=audit(1264407767.959:2261): avc:  denied  { lock } for  pid=1285 comm="openvpn" path="/var/run/utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1264407767.959:2261): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=7 a2=7fff8e5184d0 a3=8 items=0 ppid=1 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-01-25 19:38:08 UTC 
Miroslav add

init_read_utmp(openvpn_t)
init_dontaudit_write_utmp(openvpn_t)
Comment 2 Miroslav Grepl 2010-01-26 13:20:34 UTC 
Fixed in selinux-policy-3.6.32-78.fc12
Comment 3 Fedora Update System 2010-01-28 09:24:41 UTC 
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
Comment 4 Fedora Update System 2010-01-29 03:29:52 UTC 
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
Comment 5 Fedora Update System 2010-02-02 01:21:58 UTC 
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Anthony Messina 2010-06-23 20:47:27 UTC 
Reopening.  This issue has crep up again in fc13:

selinux-policy-targeted-3.7.19-23.fc13.noarch

node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3714): avc:  denied  { read } for  pid=1320 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3714): avc:  denied  { open } for  pid=1320 comm="openvpn" name="utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1277324855.50:3714): arch=c000003e syscall=2 success=yes exit=5 a0=3e9eb42fa6 a1=80000 a2=3e9eb42fa6 a3=fffffffffffffc6b items=0 ppid=1 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)


node=chicago.messinet.com type=AVC msg=audit(1277324855.50:3715): avc:  denied  { lock } for  pid=1320 comm="openvpn" path="/var/run/utmp" dev=sdd3 ino=3529447 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1277324855.50:3715): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=7 a2=7fffa135a4c0 a3=8 items=0 ppid=1 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
Comment 7 Miroslav Grepl 2010-06-28 14:13:16 UTC 
Fixed in selinux-policy-3.7.19-32.fc13
Comment 8 Fedora Update System 2010-06-30 19:54:49 UTC 
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 9 Fedora Update System 2010-07-01 18:48:44 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 10 Fedora Update System 2010-07-06 17:07:06 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.