Bug 820339 - selinux policy does not allow openvpn to access brctl for bridge operations
Summary: selinux policy does not allow openvpn to access brctl for bridge operations
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-09 17:07 UTC by Erik M Jacobs
Modified: 2013-12-06 17:29 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-06 17:29:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Erik M Jacobs 2012-05-09 17:07:36 UTC 
Description of problem:
When setting up bridged vpns with openvpn, you need to perform bridge operations (brctl) in order to set up the tap bridge after openvpn starts. The default selinux policy does not permit this activity.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
openvpn-2.2.1-1.el6.x86_64
selinux-policy-3.7.19-126.el6_2.10.noarch

How reproducible:
100%

Steps to Reproduce:
1. Set up openvpn tp use tap/bridge, and create a bridge script that calls brctl
2. start openvpn
  
Actual results:
Failure message is output regarding permission denied to access /usr/sbin/brctl

Expected results:
Access is allowed.

Additional info:
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17
----
time->Wed May  9 13:02:31 2012
type=SYSCALL msg=audit(1336582951.707:82800): arch=c000003e syscall=59 success=yes exit=0 a0=183f330 a1=183d7f0 a2=183d4a0 a3=28 items=0 ppid=1920 pid=1921 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8964 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute_no_trans } for  pid=1921 comm="bridge-start" path="/usr/sbin/brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { read open } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1336582951.707:82800): avc:  denied  { execute } for  pid=1921 comm="bridge-start" name="brctl" dev=dm-0 ino=143717 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
[root@mordor openvpn]# ausearch -m avc -ts 13:02:17 | audit2allow


#============= openvpn_t ==============
allow openvpn_t brctl_exec_t:file { read execute open execute_no_trans };

Perhaps there should be a boolean?
Comment 1 Christopher Meng 2013-09-08 06:51:14 UTC 
Status?
Comment 2 Erik M Jacobs 2013-09-09 23:56:23 UTC 
No idea. It's over a year old and I've moved on to other projects.  I don't even really remember why I was testing this at the time. Sorry!
Comment 3 Daniel Walsh 2013-11-12 15:38:50 UTC 
cc19809a17eda7a9750dbcbf1ff8458479b6b04d fixes this in git.

Should be available in the next rawhide release.

SHould be back ported to RHEL6 and RHEL7 as well as fedora 19-21
Comment 4 Christopher Meng 2013-11-12 15:40:31 UTC 
Thanks.

I met this problem long time ago, but until few minutes ago I realized that this bug has been assigned to wrong people.
Note You need to log in before you can comment on or make changes to this bug.