789342 – RFE: Default SELinux policy does not support multiple OpenVPN instances

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 789342 - RFE: Default SELinux policy does not support multiple OpenVPN instances

Summary: RFE: Default SELinux policy does not support multiple OpenVPN instances

Keywords:
Status:	CLOSED DUPLICATE of bug 922732
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	985435
TreeView+	depends on / blocked

Reported:	2012-02-10 14:23 UTC by E.Patton
Modified:	2013-08-07 06:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	985435 (view as bug list)
Environment:
Last Closed:	2013-08-06 20:40:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description E.Patton 2012-02-10 14:23:19 UTC

Description of problem:

Default SELinux policy does not work well when running multiple instances of OpenVPN on a single system.

When multiple instances of OpenVPN supporting different trust domains are running on a single system, it is necessary for the ipp.txt file to be renamed so that there is a different ipp.txt file for each instance of OpenVPN.

The ipp.txt file is used by OpenVPN to store IP addresses allocated to VPN clients (using the ifconfig-pool-persist directive). The ipp.txt file must be named distinctly for each running OpenVPN instance otherwise the various running instances of OpenVPN overwrite updates to ipp.txt made by other OpenVPN instances.

ipp.txt is the default given in most OpenVPN example configurations but there is no requirement for the file to be named so and the OpenVPN package clearly allows other names to be used (presumably because of the aforementioned overwriting issue).

OpenVPN is installed from EPEL.

The ipp.txt file is stored in /etc/openvpn/ and is labelled openvpn_etc_rw_t. Files in /etc/openvpn that are not used for ifconfig-pool-persist purposes are of type openvpn_etc_t.

The default policy for OpenVPN is, however, hardwired to allow only /etc/openvpn/ipp.txt:

"/etc/selinux/targeted/modules/active/file_contexts:/etc/openvpn/ipp.txt -- system_u:object_r:openvpn_etc_rw_t:s0"

Hardwiring the policy to a single file name is inconsistent with the approach adopted for related aspects of policy which, for example, allow arbitrary (within reason!) filenames for the configuration files for each trust domain.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.2 (Santiago)
openvpn-2.2.1-1.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:

Every time.

Steps to Reproduce:
1. Install and configure OpenVPN with a ifconfig-pool-persist configuration that uses a storage location other than ipp.txt, e.g.

ifconfig-pool-persist /etc/openvpn/trustdomain_one_ipp.txt

2.
3.

Actual results:

OpenVPN fails when a client first connects as the default SELinux type for the file (say) /etc/openvpn/trustdomain_one_ipp.txt is openvpn_etc_t rather than openvpn_etc_rw_t.

# aureport -a |grep openvpn
1. 03/02/12 16:23:29 openvpn unconfined_u:system_r:openvpn_t:s0 2 file write system_u:object_r:openvpn_etc_t:s0 denied 56517

/var/log/messages

Feb 3 16:23:33 xxxxxx setroubleshoot: SELinux is preventing /usr/sbin/openvpn from write access on the file /etc/openvpn xxxxxxxxxx_ipp.txt. For complete SELinux messages. run sealert -l 7067460d-6917-4190-8ed8-e857b91ef442

Expected results:

OpenVPN enjoys unimpeded access to multiple ifconfig-pool-persist files with names other than ipp.txt

Additional info:

The immediate fix for us was to manually set the file's label (slightly tiresome with 10 running instances but not insurmountable):

semanage fcontext -a -t openvpn_etc_rw_t /etc/openvpn/trustdomain_one_ipp.txt

I can see that there might be an overlapping wildcard problem with respect to the default labelling of files in /etc/openvpn and suggest that consideration be given to changing the policy for ipp.txt to be *ipp.txt. However, I note that there is no defined convention (that I am aware) for naming such files.

Alternatively, https://bugzilla.redhat.com/show_bug.cgi?id=746173 looks like it might address the use of OpenVPN-style VPNs on RHEL. It might be easier to document the above semanage statement rather than change the default policy.

Comment 2 Daniel Walsh 2012-02-10 15:16:51 UTC

Can we get this file moved to a directory that is supposed to be writable like /var/lib/openvpn  or if not that /etc/openvpn/ipp/.  I am not crazy about confined domains writing to /etc.  

Then the handling of this type of issue becomes a lot easier.  I have no problem fixing the label to be broader, although we have not seen this in Fedora.  But 
moving it to a directory would allow us to set the label on the directory and then an admin creating a new file would get the correct label without having to think about SELinux.

Comment 3 RHEL Program Management 2012-05-03 05:20:18 UTC

Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 4 Miroslav Grepl 2013-08-06 20:34:49 UTC

We added SELinux support for /var/lib/openvpn.

Comment 5 Miroslav Grepl 2013-08-06 20:40:06 UTC


*** This bug has been marked as a duplicate of bug 922732 ***

Note You need to log in before you can comment on or make changes to this bug.