Description of problem: When starting openvpn in cases when the tun device is already open (i.e. persistent across openvpn sessions) with a startup script ran prior to executing openvpn (using a statement like 'openvpn --mktun --dev tun0 --user nobody --group nobody') AVC denial is produced and openvpn exits. Similarly, when openvpn tries to reset or close a persistent tun device (again, via a shutdown script using statements like 'openvpn --rmtun --dev tun0' or '/sbin/ifconfig tun0 down') another AVC denial is produced and the tun device is not altered/closed. Version-Release number of selected component (if applicable): SELinux policy version -49 and -51 How reproducible: Always! Steps to Reproduce: The following assumes a standard openvpn installation. 1. Produce two script files called openvpn-startup and openvpn-shutdown and place them in a directory accessible by openvpn (say /var/lib/openvpn). openvpn-startup needs to have a statement like 'openvpn --mktun --dev tun0 --user nobody --group nobody' (or other appropriate less privileged group) to open the tun0 device and keep it persistent across openvpn sessions (i.e. when openvpn closes). openvpn-shutdown needs to contain either of these statements: 'openvpn --rmtun --dev tun0' or '/sbin/ifconfig tun0 down' to close/reset the tun device when openvpn is shutting down. 2. Make sure the openvpn distribution used to install openvpn contains init.d startup script, which seeks these startup and shutdown scripts prior to starting openvpn itself. The standard FC distributions includes a script with such capabilities. Alter the openvpn initrc script (the one which is placed in etc/init.d) to include the right directory for the above scripts (in FC standard distribution this is done by altering the 'init' variable to point to the directory where these scripts are, say 'init=/var/lib/openvpn'). 3. Start openvpn by executing 'service openvpn start' from the command line. AVC should be produced after which openvpn exits. 4. On shutting down openvpn with service openvpn stop and another AVC is produced. Actual results: On startup the following AVC is produced after which openvpn exits: type=AVC msg=audit(1283605137.660:19): avc: denied { relabelfrom } for pid=1612 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=tun_socket On shutdown the following AVC is produced and the tun device is NOT altered/closed: type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for pid=1846 comm="iptables" scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_t:s0 tclass=packet Expected results: openvpn to start, altering the parameters of the already-opened tun0 device and then stop normally, again, altering the tun0 device and closing it. Additional info: The above could be avoided by replacing the following statement in openvpn.te from the standard selinux policy: -allow openvpn_t self:tun_socket create; +allow openvpn_t self:tun_socket ( create relabelfrom relabelto };
Rawhide has optional_policy(` unconfined_attach_tun_iface(openvpn_t) ') which I will add. If you execute # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule i mypol.pp does it work?
> type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for > pid=1846 comm="iptables" > scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:mysqld_t:s0 tclass=packet I guess this AVC is related with the #630476 bug.
(In reply to comment #2) > > type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for > > pid=1846 comm="iptables" > > scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:mysqld_t:s0 tclass=packet > > I guess this AVC is related with the #630476 bug. Humble apologies! Indeed it is, though you may close this bug (#630476) as I found a solution, which is unrelated to SELinux itself, but to the policy I was writing. My mistake was that I used a type without specifying an associated attribute, which is similar or has an alias to the "packet_type" attribute, hence why SELinux gets mad. I used "type sshd_packet_t;" instead of "type sshd_packet_t, packet_type;". Once I corrected that all went well and iptables was allowed to do its job, so this "bug" may now be closed. As far as the "relabelto" on openvpn goes - it happens when a shutdown script is executed which uses "openvpn --rmtun". As this shutdown script is, in most cases, executed under uid/gid with less privileges than root the removal/resetting of the device - which is persistent - is not allowed.
(In reply to comment #1) > Rawhide has > > optional_policy(` > unconfined_attach_tun_iface(openvpn_t) > ') > > which I will add. > > > If you execute > > # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol > # semodule i mypol.pp > > does it work? I am not certain how "unconfined_attach_tun_iface" would be affected if I use labelled packets. Could you expand on what "unconfined_attach_tun_iface(openvpn_t)" does as I am not using rawhide (my selinux is on -51 - the latest policy which comes out of my repo - I am on FC13).
Fixed in selinux-policy-3.7.19-55.fc13.
selinux-policy-3.7.19-57.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-57.fc13
selinux-policy-3.7.19-57.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.