openvpn on fedora 7

[Philip Tricca]

Matthew Gillen wrote:
> I had to add the following module before openvpn would work.  The first issue
> was that openvpn didn't have permission to write a .pid file to
> /var/run/openvpn.  The other problem seemed to be that a TCP socket could not
> be created (the name_connect part).
> 
> The dac_override is something that I don't get.  Why would openvpn need that?
>  Unix permissions problems?

I believe "dac_override" means that a process running as root is trying 
to violate the DAC policy.  Consider a file owned by user Alice with rw 
permissions for the owner, all else denied (600).  Historically the root 
user is identified by the kernel and all DAC checks are bypassed. 
SELinux prevents processes running with roots uid from doing such 
things.  This is a good example of SELinux attempting to turn root into 
just another regular user.

I've run into these things when my daemon, which is typically run as a 
lesser privileged user, is run as root.  dac_override avcs were 
generated for reading all of the config files and writing to the log 
files (the ones that were already created).

> Here's the additional policy:
> -----------------------------
> require {
>         type openvpn_t;
>         type openvpn_port_t;
>         type openvpn_var_run_t;
>         class capability dac_override;
>         class tcp_socket name_connect;
>         class dir { write search add_name };
> }
> 
> #============= openvpn_t ==============
> allow openvpn_t openvpn_port_t:tcp_socket name_connect;
> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
> allow openvpn_t self:capability dac_override;
> -----------------------------

If I'm wrong here I trust some of the more knowledgeable folks will 
chime in and correct me :-)

Cheers,
- Philip