Re: AVC denied messages for openvpn and procmail

[Daniel J Walsh <dwalsh redhat com>]

Tony Molloy wrote:
> Hi,
>
> I'm trying to get up to speed on SElinux so sorry for being so long.
>
> I've managed to get rid of various avc denied messages. However I'm 
> getting the following two AVC denied messages from setroubleshoot. They 
> are not causing any problems but I would like to know how to go about 
> getting rid of them. Would I need to have some sort of local policy.
>
> I'll include the complete message here.
>
>   
> > Summary
> >     
>
>   
> > SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" 
> > to /etc/openvpn/openvpn.log (openvpn_etc_t).
> >     
>
>   
> > Detailed Description
> >     
>
>   
> > SELinux denied access requested by /sbin/ifconfig. It is not expected 
> > that this access is required by /sbin/ifconfig and this access may 
> > signal an intrusion attempt. It is also possible that the specific 
> > version or configuration of the application is causing it to require 
> > additional access.
> >     
>
>   
> > Allowing Access
> >     
>
>   
> > Sometimes labeling problems can cause SELinux denials. You could try to 
> > restore the default system file context for /etc/openvpn/openvpn.log, 
> > restorecon -v /etc/openvpn/openvpn.log If this does not work, there is 
> > currently no automatic way to allow this access. Instead, you can 
> > generate a local policy module to allow this access - see FAQ Or you can 
> > disable SELinux protection altogether. Disabling SELinux protection is 
> > not recommended. Please file a bug report against this package.
> >     
>
>   
> > Additional Information
> >     
>
>   
> > Source Context	system_u:system_r:ifconfig_t:s0
> > Target Context	system_u:object_r:openvpn_etc_t:s0
> > Target Objects	/etc/openvpn/openvpn.log [ file ]
> > Affected RPM Packages	net-tools-1.60-73 [application]
> > Policy RPM	selinux-policy-2.4.3-10.fc6
> > Selinux Enabled	True
> > Policy Type	targeted
> > MLS Enabled	True
> > Enforcing Mode	Enforcing
> > Plugin Name	plugins.catchall
> > Host Name	localhost
> > Platform	Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
> > 2006 i686 i686
> >     
>
>   
> > Raw Audit Messages
> >     
>
>   
> > avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0' 
> > exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0' 
> > name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983' 
> > scontext=system_u:system_r:ifconfig_t:s0 sgid='0' 
> > subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file' 
> > tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0' 
> >     
>
> This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log"  but 
> since openvpn.log is recreated on each boot then it's always going to 
> have the wrong label. How can I get rid of this. 
>   
This is a bug in openvpn.  Please report to them that they are leaking 
the open file descript to their log file.   Basically it is leaking a 
file descriptor which is causing this access.  This is not really a 
problem.  In that ifconfig does not need this access to function 
correctly.  You can tell setroubleshoot to ignore the message and it 
will stop bothering you, until openvpn fixes their problem.
>   
> > Summary
> >     
>
>   
> > SELinux is preventing access to files with the default label, default_t.
> >     
>
>   
> > Detailed Description
> >     
>
>   
> > These files have the default label on them. This can indicate a labeling 
> > problem, especially if the files being referred to are not top level 
> > directories. IE everything under /usr, /var. /dev, /tmp, ... should not 
> > be labeled with the default label. The default label is for files who do 
> > not have a label on a parent directory. So if you create a new directory 
> > in / you might legitimately get this label.
> >     
>
>   
> > Allowing Access
> >     
>
>   
> > If you want a confined domain to use these files you will probably need 
> > to relabel the file/directory with chcon. In some cases it is just 
> > easier to relabel the system, to relabel execute: "touch /.autorelabel; 
> > reboot"
> >     
>
>   
> > Additional Information
> >     
>
>   
> > Source Context	system_u:system_r:procmail_t:s0
> > Target Context	system_u:object_r:default_t:s0
> > Target Objects	/ [ dir ]
> > Affected RPM Packages	procmail-3.22-17.1 [application]filesystem-2.4.0-1 
> > [target]
> > Policy RPM	selinux-policy-2.4.3-10.fc6
> > Selinux Enabled	True
> > Policy Type	targeted
> > MLS Enabled	True
> > Enforcing Mode	Enforcing
> > Plugin Name	plugins.default
> > Host Name	localhost
> > Platform	Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
> > 2006 i686 i686
> >     
>
>   
> > Raw Audit Messages
> >     
>
>   
> > avc: denied { search } for comm='"procmail"' dev='sda8' egid='12' 
> > euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0' 
> > gid='12' items='0' name='"/"' pid='3112' 
> > scontext=system_u:system_r:procmail_t:s0 sgid='12' 
> > subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir' 
> > tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' 
> >     
>
>
> Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc 
> denied message.
>
> Regards,
>
> Tony
>   

/ should be labeled root_t? not default_t?

ls -lZd /
restorcon /
ls -lZd /