[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Openvpn and Selinux



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zoltan Kota wrote:
> Hi,
> 
> In my F10 installation selinux seems to prevent working openvpn. After
> connection openvpn wants to modify /etc/resolv.conf that is not
> allowed I think.
> 
> I start openvpn by the command
> 
> [root ~]# /etc/init.d/openvpn start
> 
> and I get selinux messages like this:
> 
> ---
> Summary:
> SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t).
> Detailed Description:
> SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t). The SELinux type
> etc_t, is a generic type for all files in the directory and very few processes
> (SELinux Domains) are allowed to write to this SELinux type. This type of denial
> usual indicates a mislabeled file. By default a file created in a directory has
> the gets the context of the parent directory, but SELinux policy has rules about
> the creation of directories, that say if a process running in one SELinux Domain
> (D1) creates a file in a directory with a particular SELinux File Context (F1)
> the file gets a different File Context (F2). The policy usually allows the
> SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for
> some reason a file (./etc) was created with the wrong context, this domain will
> be denied. The usual solution to this problem is to reset the file context on
> the target file, restorecon -v './etc'. If the file context does not change from
> etc_t, then this is probably a bug in policy. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
> package. If it does change, you can try your application again to see if it
> works. The file context could have been mislabeled by editing the file or moving
> the file from a different directory, if the file keeps getting mislabeled, check
> the init scripts to see if they are doing something to mislabel the file.
> 
> Allowing Access:
> You can attempt to fix file context by executing restorecon -v './etc'
> Fix Command:
> restorecon './etc'
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                system_u:object_r:etc_t:s0
> Target Objects                ./etc [ dir ]
> Source                        cp
> Source Path                   /bin/cp
> Port                          <Unknown>
> ...
> -
> Summary:
> SELinux is preventing dns.up (openvpn_t) "write" to ./resolv.conf (net_conf_t).
> Detailed Description:
> SELinux denied access requested by dns.up. It is not expected that this access
> is required by dns.up and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./resolv.conf,
> 
> restorecon -v './resolv.conf'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                system_u:object_r:net_conf_t:s0
> Target Objects                ./resolv.conf [ file ]
> Source                        dns.up
> Source Path                   /bin/bash
> Port                          <Unknown>
> ...
> -
> Summary:
> SELinux is preventing dns.up (openvpn_t) "write" openvpn_t.
> 
> Detailed Description:
> SELinux denied access requested by dns.up. It is not expected that this access
> is required by dns.up and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                unconfined_u:system_r:openvpn_t:s0
> Target Objects                pipe [ fifo_file ]
> Source                        dns.up
> Source Path                   /bin/bash
> Port                          <Unknown>
> ...
> -
> Summary:
> SELinux is preventing cut (openvpn_t) "getattr" openvpn_t.
> 
> Detailed Description:
> SELinux denied access requested by cut. It is not expected that this access is
> required by cut and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                unconfined_u:system_r:openvpn_t:s0
> Target Objects                pipe [ fifo_file ]
> Source                        dns.up
> Source Path                   /bin/bash
> Port                          <Unknown>
> ...
> -
> Summary:
> SELinux is preventing cut (openvpn_t) "read" openvpn_t.
> 
> Detailed Description:
> SELinux denied access requested by cut. It is not expected that this access is
> required by cut and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                unconfined_u:system_r:openvpn_t:s0
> Target Objects                pipe [ fifo_file ]
> Source                        dns.up
> Source Path                   /bin/bash
> Port                          <Unknown>
> ...
> -
> Summary:
> SELinux is preventing dns.up (openvpn_t) "append" to ./resolv.conf (net_conf_t).
> 
> Detailed Description:
> SELinux denied access requested by dns.up. It is not expected that this access
> is required by dns.up and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./resolv.conf,
> 
> restorecon -v './resolv.conf'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> Source Context                unconfined_u:system_r:openvpn_t:s0
> Target Context                system_u:object_r:net_conf_t:s0
> Target Objects                ./resolv.conf [ file ]
> Source                        dns.up
> Source Path                   /bin/bash
> Port                          <Unknown>
> ...
> 
> ---
> 
> How could I enable openvpn to work without disabling selinux?
> Z


You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-30.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk2o+AACgkQrlYvE4MpobPmkQCcDaxoFl14k1IgSEe5rBlB9+nS
HXcAoIcmEvVUIkN1wdGBeh9AEc2cdSoP
=9BZ3
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]