Can't run OpenVPN from /etc/init.d/openvpn

Manuel Wolfshant wolfy at nobugconsulting.ro
Wed Aug 8 00:45:33 UTC 2007 

On 08/08/2007 03:30 AM, Michal Ludvig wrote:
> Hi all,
>
> I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its 
> dependent liblzo2 2.02 from RPMforge.net.
>
> With SElinux disabled everything works nicely. However with SElinux 
> enabled in enforcing targeted mode I can't run OpenVPN via 
> /etc/init.d/openvpn:
>
> ~# /etc/init.d/openvpn start
> Starting openvpn: /usr/sbin/openvpn: error while loading shared 
> libraries: liblzo2.so.2: cannot enable executable stack as shared 
> object requires: Permission denied
>                                                            [FAILED]
>
> At that time two new records appear in /var/log/audit/audit.log:
>
> type=AVC msg=audit(1186574630.135:162): avc:  denied  { execstack } 
> for  pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0 
> tcontext=root:system_r:openvpn_t:s0 tclass=process
>
> type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125 
> success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0 
> ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn" 
> subj=root:system_r:openvpn_t:s0 key=(null)
>
> When I pass them to audit2allow I get:
>
> allow openvpn_t self:process execstack;
>
> So I did "audit2allow -M local && semodule -i local.pp" to enable it, 
> but still no luck. "/etc/init.d/openvpn start" still fails with the 
> above error about being unable to load liblzo2.so.2.
>
> ~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2*
> system_u:object_r:initrc_exec_t  /etc/init.d/openvpn
> system_u:object_r:openvpn_exec_t /usr/sbin/openvpn
> system_u:object_r:lib_t        /usr/lib/liblzo2.so.2.0.0
> system_u:object_r:lib_t        /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0
>
> Interesting thing is that when I manually run /usr/sbin/openvpn it 
> works fine:
>
> ~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf
> Thu Aug  9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] 
> [LZO] [EPOLL] built on Mar  8 2007
> [...]
> Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link local: [undef]
> Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx
> Thu Aug  9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx
>
> What should I do to make it work from /etc/init.d on system boot as well?
I've had a similar problem some time ago. Rather then punching an 
additional hole in selinux, I switched to the openvpn package from EPEL.

More information about the fedora-selinux-list mailing list