Description of problem: Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option. Version-Release number of selected component (if applicable): openvpn-2.1.1-2.el5.x86_64 How reproducible: always Steps to Reproduce: 1. install openvpn 2. configure server and client establishing a working VPN 3. push some routes from the server to the client (I.E., push "route 192.168.56.0 255.255.255.0") 4. build an "up" script (very basic example) echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -F --table nat /sbin/iptables --table nat --insert POSTROUTING 1 --out-interface eth0 -j MASQUERADE 5. configure openvpn to run the "up" script $ tail -1 openvpn.conf up /etc/openvpn/server.up 6. Start or restart openvpn (service openvpn start) Actual results: $ service openvpn start Starting openvpn: /etc/openvpn/server.up: line 1: /proc/sys/net/ipv4/ip_forward: Permission denied /etc/openvpn/server.up: line 2: /sbin/iptables: Permission denied /etc/openvpn/server.up: line 3: /sbin/iptables: Permission denied [FAILED] Expected results: openvpn to work like it does without selinux enabled Additional info: =========================== additional selinux violations are likely to occur after these are resolved (based on previous openvpn bugzilla selinux policy tickets) =========================== $ audit2why < bugzilla.log type=AVC msg=audit(1266599646.632:132): avc: denied { write } for pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.632:133): avc: denied { write } for pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.632:134): avc: denied { execute } for pid=1850 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.632:135): avc: denied { getattr } for pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.632:136): avc: denied { getattr } for pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.640:137): avc: denied { execute } for pid=1851 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.640:138): avc: denied { getattr } for pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1266599646.640:139): avc: denied { getattr } for pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. =========================== >audit2allow < bugzilla.log #============= openvpn_t ============== allow openvpn_t iptables_exec_t:file { execute getattr }; allow openvpn_t sysctl_net_t:file write; ===========================
I think the best we can do here is allow you to load custom policy rules. This is local customization and not something we want to enable for everyone. # cat > myopenvpn.te << _EOF policy_module(myopenvpn, 1.0) gen_require(` type openvpn_t; ') iptables_domtrans(openvpn_t) kernel_rw_net_sysctls(openvpn_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myopenvpn.pp