Got this error pop up in the systray after I (successfully) started up my VPN connecting using NetworkManager-openvpn. Submitted manually as for some reason the report to bugzilla button has gone AWOL in the SELinux Security Alerts application. Full output follows: Summary: SELinux is preventing /sbin/ip "module_request" access on <Unknown>. Detailed Description: [ip has a permissive type (openvpn_t). This access was not denied.] SELinux denied access requested by ip. The current boolean settings do not allow this access. If you have not setup ip to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean domain_kernel_load_modules is set incorrectly. Boolean Description: Allow all domains to have the kernel load modules Fix Command: # setsebool -P domain_kernel_load_modules 1 Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects None [ system ] Source ip Source Path /sbin/ip Port <Unknown> Host envy.fud.no Source RPM Packages iproute-2.6.32-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-33.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name envy.fud.no Platform Linux envy.fud.no 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen on. 11. aug. 2010 kl. 22.51 +0000 Last Seen on. 11. aug. 2010 kl. 22.51 +0000 Local ID 233c983d-e338-4927-a8e8-4bb62cb37db9 Line Numbers Raw Audit Messages node=envy.fud.no type=AVC msg=audit(1281559885.353:1949): avc: denied { module_request } for pid=24747 comm="ip" kmod="tun0" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system node=envy.fud.no type=SYSCALL msg=audit(1281559885.353:1949): arch=c000003e syscall=16 success=yes exit=128 a0=4 a1=8933 a2=7fff9a287570 a3=377f128ad0 items=0 ppid=1 pid=24747 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:openvpn_t:s0 key=(null)
Did you disable ipv6?
This one looks legit. openvpn_t causing the tun0 device to be loaded.
kernel_request_load_module(openvpn_t)
Fixed in selinux-policy-3.7.19-47.fc13.
(In reply to comment #1) > Did you disable ipv6? IPv6 mode in NetworkManager for the wireless is «ignore» (the NM default). There is IPv6 service on the WLAN, though, and the kernel does auto-configure an IPv6 address and default route. However, the VPN connection in question are IPv4-only (I don't think OpenVPN supports IPv6 at this point). Tore
selinux-policy-3.7.19-47.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-47.fc13
selinux-policy-3.7.19-47.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-47.fc13
selinux-policy-3.7.19-47.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.