SELinux is preventing vpnc to create a tunnel device SELinux is preventing /bin/mkdir from 'write' accesses on the directory /dev. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mkdir should be allowed write access on the dev directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkdir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects /dev [ dir ] Source mkdir Source Path /bin/mkdir Port <Unknown> Host (removed) Source RPM Packages coreutils-8.10-2.fc15 Target RPM Packages filesystem-2.4.41-1.fc15 Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686 i686 Alert Count 2 First Seen Wed 17 Aug 2011 06:16:58 AM PDT Last Seen Wed 17 Aug 2011 06:17:58 AM PDT Local ID 7622a366-fc31-48c4-9df8-e250ccbfd785 Raw Audit Messages type=AVC msg=audit(1313587078.104:70): avc: denied { write } for pid=2586 comm="mkdir" name="/" dev=devtmpfs ino=4 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir type=SYSCALL msg=audit(1313587078.104:70): arch=i386 syscall=mkdir success=no exit=EACCES a0=bf9b68cc a1=1ed a2=8053388 a3=bf9b68c7 items=0 ppid=2576 pid=2586 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=mkdir exe=/bin/mkdir subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) Hash: mkdir,vpnc_t,device_t,dir,write audit2allow #============= vpnc_t ============== #!!!! The source type 'vpnc_t' can write to a 'dir' of the following types: # tmp_t, etc_t, vpnc_tmp_t, var_run_t, vpnc_var_run_t, net_conf_t allow vpnc_t device_t:dir write; audit2allow -R #============= vpnc_t ============== #!!!! The source type 'vpnc_t' can write to a 'dir' of the following types: # tmp_t, etc_t, vpnc_tmp_t, var_run_t, vpnc_var_run_t, net_conf_t allow vpnc_t device_t:dir write;
after allowing it the above exeption, it runs to the next denial: SELinux is preventing /bin/mkdir from add_name access on the directory net. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mkdir should be allowed add_name access on the net directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkdir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects net [ dir ] Source mkdir Source Path /bin/mkdir Port <Unknown> Host pikkud.mobile.fp.nsn-rdnet.net Source RPM Packages coreutils-8.10-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pikkud.mobile.fp.nsn-rdnet.net Platform Linux pikkud.mobile.fp.nsn-rdnet.net 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 17 Aug 2011 06:34:40 AM PDT Last Seen Wed 17 Aug 2011 06:34:40 AM PDT Local ID 376acc1b-d404-4877-9c27-7035830cbbf5 Raw Audit Messages type=AVC msg=audit(1313588080.902:109): avc: denied { add_name } for pid=3593 comm="mkdir" name="net" scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir type=SYSCALL msg=audit(1313588080.902:109): arch=i386 syscall=mkdir success=no exit=EACCES a0=bfaf58cc a1=1ed a2=8053388 a3=bfaf58c7 items=0 ppid=3581 pid=3593 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=mkdir exe=/bin/mkdir subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) Hash: mkdir,vpnc_t,device_t,dir,add_name audit2allow #============= vpnc_t ============== allow vpnc_t device_t:dir add_name; audit2allow -R #============= vpnc_t ============== allow vpnc_t device_t:dir add_name;
and after that, this is the next: SELinux is preventing /sbin/modprobe from read access on the directory /etc/modprobe.d. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that modprobe should be allowed read access on the modprobe.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep modprobe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 Target Context system_u:object_r:modules_conf_t:s0 Target Objects /etc/modprobe.d [ dir ] Source modprobe Source Path /sbin/modprobe Port <Unknown> Host pikkud.mobile.fp.nsn-rdnet.net Source RPM Packages module-init-tools-3.16-2.fc15 Target RPM Packages module-init-tools-3.16-2.fc15 Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pikkud.mobile.fp.nsn-rdnet.net Platform Linux pikkud.mobile.fp.nsn-rdnet.net 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686 i686 Alert Count 2 First Seen Wed 17 Aug 2011 06:38:27 AM PDT Last Seen Wed 17 Aug 2011 06:38:27 AM PDT Local ID 26cfa8d3-f6f9-43e3-bc30-fbd9942a6ecc Raw Audit Messages type=AVC msg=audit(1313588307.618:128): avc: denied { read } for pid=4398 comm="modprobe" name="modprobe.d" dev=dm-1 ino=46 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1313588307.618:128): arch=i386 syscall=open success=no exit=EACCES a0=805d3bd a1=0 a2=1b6 a3=0 items=0 ppid=4390 pid=4398 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=modprobe exe=/sbin/modprobe subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) Hash: modprobe,vpnc_t,modules_conf_t,dir,read audit2allow #============= vpnc_t ============== allow vpnc_t modules_conf_t:dir read; audit2allow -R #============= vpnc_t ============== allow vpnc_t modules_conf_t:dir read;
and after adding those it just fails otherwise due to mkdir not succeeding: mkdir: cannot create directory `/dev/net': Permission denied mknod: `/dev/net/tun': No such file or directory vpnc: can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not misc/net/tun): No such file or directory vpnc: can't initialise tunnel interface: No such file or directory
vpnc-0.5.3-12.svn457.fc15.i686 policycoreutils-2.0.86-7.fc15.i686 checkpolicy-2.0.23-3.fc15.i686 polkit-desktop-policy-0.101-6.fc15.noarch policycoreutils-python-2.0.86-7.fc15.i686 policycoreutils-gui-2.0.86-7.fc15.i686 selinux-policy-targeted-3.9.16-35.fc15.noarch selinux-policy-3.9.16-35.fc15.noarch
Could you execute # semanage permissive -a vpnc_t and collect all AVC msgs which you see.
here we go, unfortunately the vpnc fails for some reason from this network where I'm at now. It clearly fails to insert some modules for tunnel. I'll attach the log.
Created attachment 520019 [details] vpnc avc logs while semanage permissive -a vpnc_t
This looks like you vpnc script is running modprobe? Is this standard? You probably want to add a domtrans modprobe_domtrans_insmod(vpnc_t) Is this a standard configuration?
yes, it looks so, it needs to setup a network interface and tunnel all/some traffic to it. The vpnc is standard one coming from fedora repos, of course my connections setup in vpnc.conf is my specific. But setting up the tun device is normal behaviour. Excuse my ignoreness, but where should that be added to? Looks like a function call, so do you mean to patch the vpnc codes and recompile the package? Or is that some policy-magic which gets put into where?
BTW, there is a long ago made bug about the same issue, handled for nm it seemes: #208579 "NetworkManager-vpnc triggering SELinux when doing modprobe tun.ko" I verify that it works just fine in NM gui, it's only the command line client that doesn't work. And me loves cmdline... :)
Could you try to add the following local policy # cat mypol.te policy_module(mypol, 1.0) require{ type vpnc_t; } modprobe_domtrans_insmod(vpnc_t) # make -f /usr/share/selinux/devel/Makefile # semodule -i mypol.pp # semanage permissive -d vpnc_t and try to re-test it.
Some syntax error in it? See: # cat > mypol.te policy_module(mypol, 1.0) require{ type vpnc_t; } modprobe_domtrans_insmod(vpnc_t) [root@pikkud test]# make -f /usr/share/selinux/devel/Makefile Compiling targeted mypol module /usr/bin/checkmodule: loading policy configuration from tmp/mypol.tmp mypol.te":7:ERROR 'syntax error' at token 'modprobe_domtrans_insmod' on line 3216: modprobe_domtrans_insmod(vpnc_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mypol.mod] Error 1
My fault, I meant modutils_domtrans_insmod_uncond(vpnc_t) instead of modprobe_domtrans_insmod(vpnc_t)
thanks, I did that and took me this far: type=AVC msg=audit(1314613488.929:262): avc: denied { getattr } for pid=9835 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1314613488.929:262): arch=40000003 syscall=195 success=no exit=-13 a0=8a71fc0 a1=bfd7ee28 a2=345ff4 a3=8a71fc6 items=0 ppid=9828 pid=9835 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314613488.965:263): avc: denied { read write } for pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1314613488.965:263): arch=40000003 syscall=5 success=no exit=-13 a0=8a72070 a1=8042 a2=1b6 a3=b items=0 ppid=9835 pid=9852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1314613488.965:264): avc: denied { read write } for pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1314613488.965:264): arch=40000003 syscall=5 success=no exit=-13 a0=8a72070 a1=8002 a2=0 a3=b items=0 ppid=9835 pid=9852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
Miroslav maybe we should add a policy for vpnc-script and only give it the ability to execute modprobe.
# make sure tun device exists if [ ! -e /dev/net/tun ]; then mkdir -p /dev/net mknod -m 0640 /dev/net/tun c 10 200 fi This script needs to add restorecon -R -v /dev/net
here's what it looks like before and after restorecon, it seems it had been created with proper tags: $ ls -laZ /dev/net/ drwxr-xr-x. root root system_u:object_r:device_t:s0 . drwxr-xr-x. root root system_u:object_r:device_t:s0 .. crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 tun $ sudo restorecon -R -v /dev/net $ ls -laZ /dev/net/ drwxr-xr-x. root root system_u:object_r:device_t:s0 . drwxr-xr-x. root root system_u:object_r:device_t:s0 .. crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 tun I did not create this manually as you instructed above, it was the vpnc creating it.
The avc indicates that it was created for a small time with the wrong label on it. type=AVC msg=audit(1314613488.965:263): avc: denied { read write } for pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1314613488.965:263): arch=40000003 syscall=5 success=no udev is watching for mislabeld char_files and when it sees one will fix the label but in the mean time the vpnc script has touched the device generating the AVC. So the vpnc-script should have made sure the device has the correct label as soon as it is created.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Created attachment 520832 [details] Patch to make sure selinux labels are correct. This patch to vpnc-script will make sure the directories and devices that are created in the vpnc-script needs to be labeled correctly.
(In reply to comment #20) > This patch to vpnc-script will make sure the directories and devices that are > created in the vpnc-script needs to be labeled correctly. Daniel, is this patch sufficient to solve the whole issue described in this bug report or is it necessary to change the selinux policies, too?
No after the script is fixed, SELinux policy changes are necessary also.
I have fixed the script in vpnc for RAWHIDE. New packages including the bug-fix for F16 and F15 are on its way. I'll move now the bug to the selinux-policy component to track the remaining changes.
vpnc-0.5.3-13.svn457.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/vpnc-0.5.3-13.svn457.fc16
vpnc-0.5.3-13.svn457.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/vpnc-0.5.3-13.svn457.fc15
Thanks, tested it works already, but has some additional warnings: on command line: ----------------------- mknod: `/dev/net/tun': File exists Permission denied VPNC started in background (pid: 2386)... ----------------------- and the sealert here: ----------------------- SELinux is preventing /bin/bash from getattr access on the chr_file /dev/net/tun. ***** Plugin restorecon (90.5 confidence) suggests ************************* If you want to fix the label. /dev/net/tun default label should be tun_tap_device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/net/tun ***** Plugin device (9.50 confidence) suggests ***************************** If you want to allow bash to have getattr access on the tun chr_file Then you need to change the label on /dev/net/tun to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE '/dev/net/tun' # restorecon -v '/dev/net/tun' ***** Plugin catchall (1.40 confidence) suggests *************************** If you believe that bash should be allowed getattr access on the tun chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep vpnc-script /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects /dev/net/tun [ chr_file ] Source vpnc-script Source Path /bin/bash Port <Unknown> Host pikkud.mobile.fp.nsn-rdnet.net Source RPM Packages bash-4.2.10-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pikkud.mobile.fp.nsn-rdnet.net Platform Linux pikkud.mobile.fp.nsn-rdnet.net 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686 i686 Alert Count 3 First Seen Mon 29 Aug 2011 01:24:48 PM EEST Last Seen Wed 14 Sep 2011 09:33:03 AM EEST Local ID 1a07c573-f35e-4f8a-938f-7fe6892c50a0 Raw Audit Messages type=AVC msg=audit(1315981983.590:61): avc: denied { getattr } for pid=2330 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=32302 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1315981983.590:61): arch=i386 syscall=stat64 success=no exit=EACCES a0=9cd8770 a1=bf84e378 a2=345ff4 a3=9cd8776 items=0 ppid=2329 pid=2330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=vpnc-script exe=/bin/bash subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) Hash: vpnc-script,vpnc_t,device_t,chr_file,getattr audit2allow #============= vpnc_t ============== allow vpnc_t device_t:chr_file getattr; audit2allow -R #============= vpnc_t ============== allow vpnc_t device_t:chr_file getattr; ----------------------- the restorecon doesn't change the file: ----------------------- $ ls -laZ /dev/net/tun crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 /dev/net/tun $ sudo /sbin/restorecon -v /dev/net/tun $ ls -laZ /dev/net/tun crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 /dev/net/tun -----------------------
Could you run this in permissive mode and gather all of the AVC messages.
I did: 1. sudo semanage permissive -a vpnc_t 2. sudo vpnc vpn.cnf If I then remove permissive from vpnc_t, it won't happen again, so something gets labelled correct at the first run. ------------------------ type=USER_START msg=audit(1316151233.553:70): user pid=2469 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' type=AVC msg=audit(1316151240.704:71): avc: denied { getattr } for pid=2470 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=37429 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316151240.704:71): arch=40000003 syscall=195 success=yes exit=0 a0=9670770 a1=bfe66558 a2=345ff4 a3=9670776 items=0 ppid=2469 pid=2470 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null) ------------------------
I guess you can reproduce by removing /dev/net/tun
vpnc-0.5.3-13.svn457.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
vpnc-0.5.3-13.svn457.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.