Can't run OpenVPN from /etc/init.d/openvpn

Michal Ludvig michal at logix.cz
Wed Aug 8 00:30:39 UTC 2007


Hi all,

I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its 
dependent liblzo2 2.02 from RPMforge.net.

With SElinux disabled everything works nicely. However with SElinux 
enabled in enforcing targeted mode I can't run OpenVPN via 
/etc/init.d/openvpn:

~# /etc/init.d/openvpn start
Starting openvpn: /usr/sbin/openvpn: error while loading shared 
libraries: liblzo2.so.2: cannot enable executable stack as shared object 
requires: Permission denied
                                                            [FAILED]

At that time two new records appear in /var/log/audit/audit.log:

type=AVC msg=audit(1186574630.135:162): avc:  denied  { execstack } for 
  pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0 
tcontext=root:system_r:openvpn_t:s0 tclass=process

type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125 
success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0 
ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn" 
subj=root:system_r:openvpn_t:s0 key=(null)

When I pass them to audit2allow I get:

allow openvpn_t self:process execstack;

So I did "audit2allow -M local && semodule -i local.pp" to enable it, 
but still no luck. "/etc/init.d/openvpn start" still fails with the 
above error about being unable to load liblzo2.so.2.

~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2*
system_u:object_r:initrc_exec_t  /etc/init.d/openvpn
system_u:object_r:openvpn_exec_t /usr/sbin/openvpn
system_u:object_r:lib_t        /usr/lib/liblzo2.so.2.0.0
system_u:object_r:lib_t        /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0

Interesting thing is that when I manually run /usr/sbin/openvpn it works 
fine:

~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf
Thu Aug  9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] 
[EPOLL] built on Mar  8 2007
[...]
Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link local: [undef]
Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx
Thu Aug  9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx

What should I do to make it work from /etc/init.d on system boot as well?

Thanks!

Michal






More information about the fedora-selinux-list mailing list