[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Openvpn and Selinux



Hi,

In my F10 installation selinux seems to prevent working openvpn. After
connection openvpn wants to modify /etc/resolv.conf that is not
allowed I think.

I start openvpn by the command

[root ~]# /etc/init.d/openvpn start

and I get selinux messages like this:

---
Summary:
SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t).
Detailed Description:
SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t). The SELinux type
etc_t, is a generic type for all files in the directory and very few processes
(SELinux Domains) are allowed to write to this SELinux type. This type of denial
usual indicates a mislabeled file. By default a file created in a directory has
the gets the context of the parent directory, but SELinux policy has rules about
the creation of directories, that say if a process running in one SELinux Domain
(D1) creates a file in a directory with a particular SELinux File Context (F1)
the file gets a different File Context (F2). The policy usually allows the
SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for
some reason a file (./etc) was created with the wrong context, this domain will
be denied. The usual solution to this problem is to reset the file context on
the target file, restorecon -v './etc'. If the file context does not change from
etc_t, then this is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:
You can attempt to fix file context by executing restorecon -v './etc'
Fix Command:
restorecon './etc'
Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                ./etc [ dir ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
...
-
Summary:
SELinux is preventing dns.up (openvpn_t) "write" to ./resolv.conf (net_conf_t).
Detailed Description:
SELinux denied access requested by dns.up. It is not expected that this access
is required by dns.up and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./resolv.conf,

restorecon -v './resolv.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                ./resolv.conf [ file ]
Source                        dns.up
Source Path                   /bin/bash
Port                          <Unknown>
...
-
Summary:
SELinux is preventing dns.up (openvpn_t) "write" openvpn_t.

Detailed Description:
SELinux denied access requested by dns.up. It is not expected that this access
is required by dns.up and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                unconfined_u:system_r:openvpn_t:s0
Target Objects                pipe [ fifo_file ]
Source                        dns.up
Source Path                   /bin/bash
Port                          <Unknown>
...
-
Summary:
SELinux is preventing cut (openvpn_t) "getattr" openvpn_t.

Detailed Description:
SELinux denied access requested by cut. It is not expected that this access is
required by cut and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                unconfined_u:system_r:openvpn_t:s0
Target Objects                pipe [ fifo_file ]
Source                        dns.up
Source Path                   /bin/bash
Port                          <Unknown>
...
-
Summary:
SELinux is preventing cut (openvpn_t) "read" openvpn_t.

Detailed Description:
SELinux denied access requested by cut. It is not expected that this access is
required by cut and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                unconfined_u:system_r:openvpn_t:s0
Target Objects                pipe [ fifo_file ]
Source                        dns.up
Source Path                   /bin/bash
Port                          <Unknown>
...
-
Summary:
SELinux is preventing dns.up (openvpn_t) "append" to ./resolv.conf (net_conf_t).

Detailed Description:
SELinux denied access requested by dns.up. It is not expected that this access
is required by dns.up and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./resolv.conf,

restorecon -v './resolv.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:
Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                ./resolv.conf [ file ]
Source                        dns.up
Source Path                   /bin/bash
Port                          <Unknown>
...

---

How could I enable openvpn to work without disabling selinux?
Zoltan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]