Re: openvpn on fedora 7

[Matthew Gillen <matt gillens us>]

Philip Tricca wrote:
> Matthew Gillen wrote:
>> I had to add the following module before openvpn would work.  The
>> first issue
>> was that openvpn didn't have permission to write a .pid file to
>> /var/run/openvpn.  The other problem seemed to be that a TCP socket
>> could not
>> be created (the name_connect part).
>>
>> The dac_override is something that I don't get.  Why would openvpn
>> need that?
>>  Unix permissions problems?
> 
> I believe "dac_override" means that a process running as root is trying
> to violate the DAC policy.  Consider a file owned by user Alice with rw
> permissions for the owner, all else denied (600).  Historically the root
> user is identified by the kernel and all DAC checks are bypassed.
> SELinux prevents processes running with roots uid from doing such
> things.  This is a good example of SELinux attempting to turn root into
> just another regular user.

That's pretty cool.

> I've run into these things when my daemon, which is typically run as a
> lesser privileged user, is run as root.  dac_override avcs were
> generated for reading all of the config files and writing to the log
> files (the ones that were already created).

Ok, so probably the unix permissions on /var/run/openvpn are messed up, where
it's owned by the openvpn user but it writes the pid file while running as
root before it drops privs.  So if I fixed the unix perms I could probably
purge the dac_override part.

Thanks for the explanation.

Matt