Bug 820339 - selinux policy does not allow openvpn to access brctl for bridge operations
selinux policy does not allow openvpn to access brctl for bridge operations
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-09 13:07 EDT by Erik M Jacobs
Modified: 2013-12-06 12:29 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-06 12:29:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik M Jacobs 2012-05-09 13:07:36 EDT
Description of problem:
When setting up bridged vpns with openvpn, you need to perform bridge operations (brctl) in order to set up the tap bridge after openvpn starts. The default selinux policy does not permit this activity.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
openvpn-2.2.1-1.el6.x86_64
selinux-policy-3.7.19-126.el6_2.10.noarch

How reproducible:
100%

Steps to Reproduce:
1. Set up openvpn tp use tap/bridge, and create a bridge script that calls brctl
2. start openvpn
  
Actual results:
Failure message is output regarding permission denied to access /usr/sbin/brctl

Expected results:
Access is allowed.

Additional info:
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17
----
time->Wed May  9 13:02:31 2012
type=SYSCALL msg=audit(1336582951.707:82800): arch=c000003e syscall=59 success=yes exit=0 a0=183f330 a1=183d7f0 a2=183d4a0 a3=28 items=0 ppid=1920 pid=1921 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8964 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute_no_trans } for  pid=1921 comm="bridge-start" path="/usr/sbin/brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { read open } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17 | audit2allow


#============= openvpn_t ==============
allow openvpn_t brctl_exec_t:file { read execute open execute_no_trans };

Perhaps there should be a boolean?
Comment 1 Christopher Meng 2013-09-08 02:51:14 EDT
Status?
Comment 2 Erik M Jacobs 2013-09-09 19:56:23 EDT
No idea. It's over a year old and I've moved on to other projects.  I don't even really remember why I was testing this at the time. Sorry!
Comment 3 Daniel Walsh 2013-11-12 10:38:50 EST
cc19809a17eda7a9750dbcbf1ff8458479b6b04d fixes this in git.

Should be available in the next rawhide release.

SHould be back ported to RHEL6 and RHEL7 as well as fedora 19-21
Comment 4 Christopher Meng 2013-11-12 10:40:31 EST
Thanks.

I met this problem long time ago, but until few minutes ago I realized that this bug has been assigned to wrong people.

Note You need to log in before you can comment on or make changes to this bug.