566779 – Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option.

Bug 566779 - Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option.

Summary: Attempting to configure openvpn on the server side results in numerous selinu...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-02-19 17:20 UTC by donavan nelson
Modified:	2010-02-22 19:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-02-22 19:16:11 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description donavan nelson 2010-02-19 17:20:38 UTC

Description of problem:

Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option.

Version-Release number of selected component (if applicable):

openvpn-2.1.1-2.el5.x86_64

How reproducible:

always

Steps to Reproduce:
1.  install openvpn
2.  configure server and client establishing a working VPN
3.  push some routes from the server to the client (I.E., push "route 192.168.56.0 255.255.255.0")
4.  build an "up" script 
(very basic example)
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F --table nat
/sbin/iptables --table nat --insert POSTROUTING 1 --out-interface eth0 -j MASQUERADE
5.  configure openvpn to run the "up" script

$ tail -1 openvpn.conf
up /etc/openvpn/server.up

6.  Start or restart openvpn (service openvpn start)
  
Actual results:

$ service openvpn start
Starting openvpn: /etc/openvpn/server.up: line 1: /proc/sys/net/ipv4/ip_forward: Permission denied
/etc/openvpn/server.up: line 2: /sbin/iptables: Permission denied
/etc/openvpn/server.up: line 3: /sbin/iptables: Permission denied
                                                           [FAILED]

Expected results:

openvpn to work like it does without selinux enabled

Additional info:
===========================
additional selinux violations are likely to occur after these are resolved (based on previous openvpn bugzilla selinux policy tickets)
===========================
$ audit2why < bugzilla.log
type=AVC msg=audit(1266599646.632:132): avc:  denied  { write } for  pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:133): avc:  denied  { write } for  pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:134): avc:  denied  { execute } for  pid=1850 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:135): avc:  denied  { getattr } for  pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:136): avc:  denied  { getattr } for  pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:137): avc:  denied  { execute } for  pid=1851 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:138): avc:  denied  { getattr } for  pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:139): avc:  denied  { getattr } for  pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

===========================
 >audit2allow < bugzilla.log


#============= openvpn_t ==============
allow openvpn_t iptables_exec_t:file { execute getattr };
allow openvpn_t sysctl_net_t:file write;

===========================

Comment 1 Daniel Walsh 2010-02-22 19:16:11 UTC

I think the best we can do here is allow you to load custom policy rules.  This is local customization and not something we want to enable for everyone.


# cat > myopenvpn.te << _EOF
policy_module(myopenvpn, 1.0)

gen_require(`
	type openvpn_t;
')


iptables_domtrans(openvpn_t)
kernel_rw_net_sysctls(openvpn_t)

_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myopenvpn.pp

Note You need to log in before you can comment on or make changes to this bug.