Bug 566779 - Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option.
Attempting to configure openvpn on the server side results in numerous selinu...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-19 12:20 EST by donavan nelson
Modified: 2010-02-22 14:16 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-22 14:16:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description donavan nelson 2010-02-19 12:20:38 EST
Description of problem:

Attempting to configure openvpn on the server side results in numerous selinux issues when attempting to use the "up" config file option.

Version-Release number of selected component (if applicable):

openvpn-2.1.1-2.el5.x86_64

How reproducible:

always

Steps to Reproduce:
1.  install openvpn
2.  configure server and client establishing a working VPN
3.  push some routes from the server to the client (I.E., push "route 192.168.56.0 255.255.255.0")
4.  build an "up" script 
(very basic example)
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F --table nat
/sbin/iptables --table nat --insert POSTROUTING 1 --out-interface eth0 -j MASQUERADE
5.  configure openvpn to run the "up" script

$ tail -1 openvpn.conf
up /etc/openvpn/server.up

6.  Start or restart openvpn (service openvpn start)
  
Actual results:

$ service openvpn start
Starting openvpn: /etc/openvpn/server.up: line 1: /proc/sys/net/ipv4/ip_forward: Permission denied
/etc/openvpn/server.up: line 2: /sbin/iptables: Permission denied
/etc/openvpn/server.up: line 3: /sbin/iptables: Permission denied
                                                           [FAILED]

Expected results:

openvpn to work like it does without selinux enabled

Additional info:
===========================
additional selinux violations are likely to occur after these are resolved (based on previous openvpn bugzilla selinux policy tickets)
===========================
$ audit2why < bugzilla.log
type=AVC msg=audit(1266599646.632:132): avc:  denied  { write } for  pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:133): avc:  denied  { write } for  pid=1849 comm="sh" name="ip_forward" dev=proc ino=4026531982 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:134): avc:  denied  { execute } for  pid=1850 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:135): avc:  denied  { getattr } for  pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.632:136): avc:  denied  { getattr } for  pid=1850 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:137): avc:  denied  { execute } for  pid=1851 comm="sh" name="iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:138): avc:  denied  { getattr } for  pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

type=AVC msg=audit(1266599646.640:139): avc:  denied  { getattr } for  pid=1851 comm="sh" path="/sbin/iptables" dev=dm-0 ino=96322 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check boolean settings.
                You can see the necessary allow rules by running audit2allow with this audit message as input.

===========================
 >audit2allow < bugzilla.log


#============= openvpn_t ==============
allow openvpn_t iptables_exec_t:file { execute getattr };
allow openvpn_t sysctl_net_t:file write;

===========================
Comment 1 Daniel Walsh 2010-02-22 14:16:11 EST
I think the best we can do here is allow you to load custom policy rules.  This is local customization and not something we want to enable for everyone.


# cat > myopenvpn.te << _EOF
policy_module(myopenvpn, 1.0)

gen_require(`
	type openvpn_t;
')


iptables_domtrans(openvpn_t)
kernel_rw_net_sysctls(openvpn_t)

_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myopenvpn.pp

Note You need to log in before you can comment on or make changes to this bug.