Bug 670460 - SELinux prevents openvpn server functioning on Red Hat Enterprise Linux / CentOS 5.5
SELinux prevents openvpn server functioning on Red Hat Enterprise Linux / Cen...
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5.z
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-18 06:25 EST by Răzvan Sandu
Modified: 2011-06-22 09:53 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-22 09:53:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Răzvan Sandu 2011-01-18 06:25:36 EST
Description of problem:

As of January 18, 2011, SELinux is preventing openvpn server functioning on CentOS 5.5 + all online updates.

The full sealert messages is:

[root@mexcentral1 ~]# sealert -l b8bce9b7-5aed-4b2c-8a3e-01cd994b8c0f

Summary:

SELinux is preventing openvpn (openvpn_t) "read" to ./server.conf (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./server.conf,

restorecon -v './server.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:openvpn_t
Target Context                system_u:object_r:usr_t
Target Objects                ./server.conf [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          mexcentral1.example.com
Source RPM Packages           openvpn-2.1.1-2.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     mexcentral1.example.com
Platform                      Linux mexcentral1.example.com 2.6.18-194.8.1.el5
                              #1 SMP Thu Jul 1 19:04:48 EDT 2010 x86_64 x86_64
Alert Count                   13
First Seen                    Tue Nov 30 15:19:29 2010
Last Seen                     Tue Jan 18 13:05:15 2011
Local ID                      b8bce9b7-5aed-4b2c-8a3e-01cd994b8c0f
Line Numbers                  

Raw Audit Messages            

host=mexcentral1.example.com type=AVC msg=audit(1295348715.301:51): avc:  denied  { read } for  pid=14543 comm="openvpn" name="server.conf" dev=sda2 ino=15680552 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

host=mexcentral1.example.com type=SYSCALL msg=audit(1295348715.301:51): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe2cbcf3f a1=0 a2=1b6 a3=0 items=0 ppid=14534 pid=14543 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null)


Making "setenforce 0" solves problem, but this is not an option.


Version-Release number of selected component (if applicable):
kernel-2.6.18-194.8.1.el5
openvpn-2.1.1-2.el5
selinux-policy-targeted-2.4.6-279.el5_5.2
selinux-policy-2.4.6-279.el5_5.2


How reproducible:
Always.

Steps to Reproduce:
1. Install stock CentOs 5.5 + all online updates
2. Instal stock openvpn server and configure it
3. Try to start/restart openvpn service
  
Actual results:

openvpn service won't start, displaying error in red.

Expected results:

*Default* SELinux policy should allow smooth openvpn service launching and operation, labelling files correctly.

Additional info:
This is a recent regression, it used to work...
Comment 1 Miroslav Grepl 2011-01-18 08:59:43 EST
It looks like the "server.conf" is mislabeled.

Where is this config file located?

I believe you will need to execute

# restorecon -R -v /etc/openvpn

to fix this issue.
Comment 2 Răzvan Sandu 2011-01-18 09:41:03 EST
Hello and thanks,

I already did that, but it doesn't seem to solve the problem. With "setenforce 1", openvpn service still fails when doing "service openvpn restart". It does not when I have "setenforce 0"...

Best regards,
Răzvan
Comment 3 Daniel Walsh 2011-01-18 10:10:51 EST
Where is server.conf located?  ls -lZ PATHTO/server.conf
Comment 4 Răzvan Sandu 2011-01-18 10:38:28 EST
Sorry for missing your question.

It's /etc/openvpn/server.conf , as installed default by the rpm package.

[root@mexcentral1 ~]# ls -lZ /etc/openvpn/server.conf
-rw-r--r--  root root system_u:object_r:openvpn_etc_t  /etc/openvpn/server.conf


Răzvan
Comment 5 Daniel Walsh 2011-01-18 10:56:26 EST
Ok then show us the latest avc messages.

ausearch -m avc -ts recent
Comment 6 Răzvan Sandu 2011-01-18 11:57:15 EST
That's strange, I don't have any:

[root@mexcentral1 ~]# ausearch -m avc -ts recent
<no matches>
Comment 7 Miroslav Grepl 2011-01-18 12:14:39 EST
Try to start/restart openvpn service and then run

# ausearch -m avc -ts recent


If you don't see any AVC messages, execute

# semodule -DB
# service openvpn restart
# ausearch -m avc -ts recent
Comment 8 Răzvan Sandu 2011-01-18 12:50:23 EST
Thanks - using the second method, I've got:


[root@mexcentral1 ~]# semodule -DB
[root@mexcentral1 ~]# service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [EŞUAT]
[root@mexcentral1 ~]# ausearch -m avc -ts recent
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.116:175): arch=c000003e syscall=59 success=yes exit=0 a0=2ab1c88ca7a0 a1=2ab1c88f39a0 a2=0 a3=0 items=0 ppid=17869 pid=17874 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null)
type=AVC msg=audit(1295372844.116:175): avc:  denied  { noatsecure } for  pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process
type=AVC msg=audit(1295372844.116:175): avc:  denied  { rlimitinh } for  pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process
type=AVC msg=audit(1295372844.116:175): avc:  denied  { siginh } for  pid=17874 comm="setfiles" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:setfiles_t:s0 tclass=process
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.142:176): arch=c000003e syscall=21 success=no exit=-13 a0=868eb70 a1=2 a2=0 a3=42600ac8 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.142:176): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.143:177): arch=c000003e syscall=21 success=no exit=-13 a0=8a73380 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.143:177): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.178:178): arch=c000003e syscall=21 success=no exit=-13 a0=86a7470 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.178:178): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.192:179): arch=c000003e syscall=21 success=no exit=-13 a0=8b56420 a1=2 a2=0 a3=42600608 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.192:179): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.193:180): arch=c000003e syscall=21 success=no exit=-13 a0=87950b0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.193:180): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:24 2011
type=SYSCALL msg=audit(1295372844.195:181): arch=c000003e syscall=21 success=no exit=-13 a0=88548e0 a1=2 a2=0 a3=30acf154a0 items=0 ppid=1 pid=2867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1295372844.195:181): avc:  denied  { write } for  pid=2867 comm="setroubleshootd" name="rpm" dev=sda2 ino=4648515 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:31 2011
type=SYSCALL msg=audit(1295372851.190:183): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9dc845d0 a1=0 a2=0 a3=2b21b67860a3 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1295372851.190:183): avc:  denied  { search } for  pid=17900 comm="openvpn" name="/" dev=selinuxfs ino=400 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:31 2011
type=SYSCALL msg=audit(1295372851.325:184): arch=c000003e syscall=2 success=no exit=-13 a0=4d023a8 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1295372851.325:184): avc:  denied  { search } for  pid=17900 comm="openvpn" name="root" dev=sda2 ino=1113025 scontext=user_u:system_r:openvpn_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
----
time->Tue Jan 18 19:47:31 2011
type=SYSCALL msg=audit(1295372851.190:182): arch=c000003e syscall=2 success=no exit=-13 a0=30b2012a04 a1=0 a2=1b6 a3=0 items=0 ppid=17891 pid=17900 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1295372851.190:182): avc:  denied  { search } for  pid=17900 comm="openvpn" name="selinux" dev=sda2 ino=9886777 scontext=user_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
Comment 9 Daniel Walsh 2011-01-18 14:46:53 EST
Are you storing cert files in a homedir or in /root that openvpn is trying to read?
Comment 10 Răzvan Sandu 2011-01-18 20:26:34 EST
Probably this is not correct, but the keys (as referred in /etc/openvpn/server.conf) are stored in /root/easy-rsa/keys/, namely:

ca /root/easy-rsa/keys/ca.crt
cert /root/easy-rsa/keys/mexcentral1.crt
key /root/easy-rsa/keys/mexcentral1.key
dh /root/easy-rsa/keys/dh1024.pem

as lines un server.conf.

Another copy of the keys (probably redundant) seems to be present in /etc/openvpn/keys.

The step-by-step procedure used for configuring the server is this:

http://fedoraproject.org/wiki/Openvpn


Regards,
Răzvan
Comment 11 Daniel Walsh 2011-01-19 11:14:03 EST
Can you change server.conf to read them from /etc/openvpn/keys?
Comment 12 Daniel Walsh 2011-01-19 11:14:45 EST
Nothing in that document mentions /root, does it?
Comment 13 Răzvan Sandu 2011-06-20 10:32:47 EDT
Thanks,

Nothing in that document mentions neither another (fixed, standardised) place where to put the openvpn folder, nor a distro-created, predefined system user that openvpn should run as.  :)

The net effect is that SELinux forbids the actions of the openvpn daemon, preventing connections.

IMHO, this is at least a bug in the documentation. Or even in the openvpn RPM package itself, that should pre-create the directory in the correct place, with the proper SELinux permissions.


Regards,
Răzvan
Comment 15 Daniel Walsh 2011-06-22 09:53:26 EDT
You are reporting what you believe is a bug potentially in OpenVPN on rhel5, which is a package that does not ship in RHEL5 and it looks like you used the Fedora Package.

Either open this as a bug in Fedora or on OpenVPN.

Note You need to log in before you can comment on or make changes to this bug.