Description of problem: As of January 18, 2011, SELinux is preventing openvpn server functioning on CentOS 5.5 + all online updates. The full sealert messages is: [root@mexcentral1 ~]# sealert -l b8bce9b7-5aed-4b2c-8a3e-01cd994b8c0f Summary: SELinux is preventing openvpn (openvpn_t) "read" to ./server.conf (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./server.conf, restorecon -v './server.conf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:openvpn_t Target Context system_u:object_r:usr_t Target Objects ./server.conf [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host mexcentral1.example.com Source RPM Packages openvpn-2.1.1-2.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name mexcentral1.example.com Platform Linux mexcentral1.example.com 2.6.18-194.8.1.el5 #1 SMP Thu Jul 1 19:04:48 EDT 2010 x86_64 x86_64 Alert Count 13 First Seen Tue Nov 30 15:19:29 2010 Last Seen Tue Jan 18 13:05:15 2011 Local ID b8bce9b7-5aed-4b2c-8a3e-01cd994b8c0f Line Numbers Raw Audit Messages host=mexcentral1.example.com type=AVC msg=audit(1295348715.301:51): avc: denied { read } for pid=14543 comm="openvpn" name="server.conf" dev=sda2 ino=15680552 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file host=mexcentral1.example.com type=SYSCALL msg=audit(1295348715.301:51): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe2cbcf3f a1=0 a2=1b6 a3=0 items=0 ppid=14534 pid=14543 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) Making "setenforce 0" solves problem, but this is not an option. Version-Release number of selected component (if applicable): kernel-2.6.18-194.8.1.el5 openvpn-2.1.1-2.el5 selinux-policy-targeted-2.4.6-279.el5_5.2 selinux-policy-2.4.6-279.el5_5.2 How reproducible: Always. Steps to Reproduce: 1. Install stock CentOs 5.5 + all online updates 2. Instal stock openvpn server and configure it 3. Try to start/restart openvpn service Actual results: openvpn service won't start, displaying error in red. Expected results: *Default* SELinux policy should allow smooth openvpn service launching and operation, labelling files correctly. Additional info: This is a recent regression, it used to work...
It looks like the "server.conf" is mislabeled. Where is this config file located? I believe you will need to execute # restorecon -R -v /etc/openvpn to fix this issue.
Hello and thanks, I already did that, but it doesn't seem to solve the problem. With "setenforce 1", openvpn service still fails when doing "service openvpn restart". It does not when I have "setenforce 0"... Best regards, Răzvan
Where is server.conf located? ls -lZ PATHTO/server.conf
Sorry for missing your question. It's /etc/openvpn/server.conf , as installed default by the rpm package. [root@mexcentral1 ~]# ls -lZ /etc/openvpn/server.conf -rw-r--r-- root root system_u:object_r:openvpn_etc_t /etc/openvpn/server.conf Răzvan
Ok then show us the latest avc messages. ausearch -m avc -ts recent
That's strange, I don't have any: [root@mexcentral1 ~]# ausearch -m avc -ts recent <no matches>
Try to start/restart openvpn service and then run # ausearch -m avc -ts recent If you don't see any AVC messages, execute # semodule -DB # service openvpn restart # ausearch -m avc -ts recent
Thanks - using the second method, I've got: [root@mexcentral1 ~]# semodule -DB [root@mexcentral1 ~]# service openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: [EŞUAT] [root@mexcentral1 ~]# ausearch -m avc -ts recent ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.116:175): arch=c000003e syscall=59 success=yes exit=0 a0=2ab1c88ca7a0 a1=2ab1c88f39a0 a2=0 a3=0 items=0 ppid=17869 pid=17874 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null) type=AVC msg=audit(1295372844.116:175): avc: denied { noatsecure } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process type=AVC msg=audit(1295372844.116:175): avc: denied { rlimitinh } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process type=AVC msg=audit(1295372844.116:175): avc: denied { siginh } for pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.142:176): arch=c000003e syscall=21 success=no exit=-13 a0=868eb70 a1=2 a2=0 a3=42600ac8 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.142:176): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.143:177): arch=c000003e syscall=21 success=no exit=-13 a0=8a73380 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.143:177): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.178:178): arch=c000003e syscall=21 success=no exit=-13 a0=86a7470 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.178:178): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.192:179): arch=c000003e syscall=21 success=no exit=-13 a0=8b56420 a1=2 a2=0 a3=42600608 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.192:179): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.193:180): arch=c000003e syscall=21 success=no exit=-13 a0=87950b0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.193:180): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:24 2011 type=SYSCALL msg=audit(1295372844.195:181): arch=c000003e syscall=21 success=no exit=-13 a0=88548e0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1295372844.195:181): avc: denied { write } for pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.190:183): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9dc845d0 a1=0 a2=0 a3=2b21b67860a3 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.190:183): avc: denied { search } for pid=17900 comm="openvpn" name="/" dev=selinuxfs ino=400 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.325:184): arch=c000003e syscall=2 success=no exit=-13 a0=4d023a8 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.325:184): avc: denied { search } for pid=17900 comm="openvpn" name="root" dev=sda2 ino=1113025 scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir ---- time->Tue Jan 18 19:47:31 2011 type=SYSCALL msg=audit(1295372851.190:182): arch=c000003e syscall=2 success=no exit=-13 a0=30b2012a04 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1295372851.190:182): avc: denied { search } for pid=17900 comm="openvpn" name="selinux" dev=sda2 ino=9886777 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
Are you storing cert files in a homedir or in /root that openvpn is trying to read?
Probably this is not correct, but the keys (as referred in /etc/openvpn/server.conf) are stored in /root/easy-rsa/keys/, namely: ca /root/easy-rsa/keys/ca.crt cert /root/easy-rsa/keys/mexcentral1.crt key /root/easy-rsa/keys/mexcentral1.key dh /root/easy-rsa/keys/dh1024.pem as lines un server.conf. Another copy of the keys (probably redundant) seems to be present in /etc/openvpn/keys. The step-by-step procedure used for configuring the server is this: http://fedoraproject.org/wiki/Openvpn Regards, Răzvan
Can you change server.conf to read them from /etc/openvpn/keys?
Nothing in that document mentions /root, does it?
Thanks, Nothing in that document mentions neither another (fixed, standardised) place where to put the openvpn folder, nor a distro-created, predefined system user that openvpn should run as. :) The net effect is that SELinux forbids the actions of the openvpn daemon, preventing connections. IMHO, this is at least a bug in the documentation. Or even in the openvpn RPM package itself, that should pre-create the directory in the correct place, with the proper SELinux permissions. Regards, Răzvan
You are reporting what you believe is a bug potentially in OpenVPN on rhel5, which is a package that does not ship in RHEL5 and it looks like you used the Fedora Package. Either open this as a bug in Fedora or on OpenVPN.