Description of problem:

Default SELinux policy does not work well when running multiple instances of OpenVPN on a single system.

When multiple instances of OpenVPN supporting different trust domains are running on a single system, it is necessary for the ipp.txt file to be renamed so that there is a different ipp.txt file for each instance of OpenVPN.

The ipp.txt file is used by OpenVPN to store IP addresses allocated to VPN clients (using the ifconfig-pool-persist directive). The ipp.txt file must be named distinctly for each running OpenVPN instance otherwise the various running instances of OpenVPN overwrite updates to ipp.txt made by other OpenVPN instances.

ipp.txt is the default given in most OpenVPN example configurations but there is no requirement for the file to be named so and the OpenVPN package clearly allows other names to be used (presumably because of the aforementioned overwriting issue).

OpenVPN is installed from EPEL.

The ipp.txt file is stored in /etc/openvpn/ and is labelled openvpn_etc_rw_t. Files in /etc/openvpn that are not used for ifconfig-pool-persist purposes are of type openvpn_etc_t. 

The default policy for OpenVPN is, however, hardwired to allow only /etc/openvpn/ipp.txt:

"/etc/selinux/targeted/modules/active/file_contexts:/etc/openvpn/ipp.txt --      system_u:object_r:openvpn_etc_rw_t:s0"

Hardwiring the policy to a single file name is inconsistent with the approach adopted  for related aspects of policy which, for example, allow arbitrary (within reason!) filenames for the configuration files for each trust domain.




Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.2 (Santiago)
openvpn-2.2.1-1.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
selinux-policy-3.7.19-126.el6_2.4.noarch

How reproducible:

Every time.

Steps to Reproduce:
1. Install and configure OpenVPN with a ifconfig-pool-persist configuration that uses a storage location other than ipp.txt, e.g.

ifconfig-pool-persist /etc/openvpn/trustdomain_one_ipp.txt

2.
3.
  
Actual results:

OpenVPN fails when a client first connects as the default SELinux type for the file (say) /etc/openvpn/trustdomain_one_ipp.txt is openvpn_etc_t rather than openvpn_etc_rw_t.

# aureport -a |grep openvpn
1. 03/02/12 16:23:29 openvpn unconfined_u:system_r:openvpn_t:s0 2 file write system_u:object_r:openvpn_etc_t:s0 denied 56517

/var/log/messages


Feb  3 16:23:33 xxxxxx setroubleshoot: SELinux is preventing /usr/sbin/openvpn from write access on the file /etc/openvpn xxxxxxxxxx_ipp.txt. For complete SELinux messages. run sealert -l 7067460d-6917-4190-8ed8-e857b91ef442


Expected results:

OpenVPN enjoys unimpeded access to multiple ifconfig-pool-persist files with names other than ipp.txt

Additional info:

The immediate fix for us was to manually set the file's label (slightly tiresome with 10 running instances but not insurmountable):

semanage fcontext -a -t openvpn_etc_rw_t /etc/openvpn/trustdomain_one_ipp.txt 

I can see that there might be an overlapping wildcard problem with respect to the default labelling of files in /etc/openvpn and suggest that consideration be given to changing the policy for ipp.txt to be *ipp.txt. However, I note that there is no defined convention (that I am aware) for naming such files.

Alternatively, https://bugzilla.redhat.com/show_bug.cgi?id=746173 looks like it might address the use of OpenVPN-style VPNs on RHEL. It might be easier to document the above semanage statement rather than change the default policy.