Ask Your Question
1

Openvpn and selinux issues

asked 2013-08-13 13:28:41 -0600

larsks gravatar image

updated 2013-08-13 19:11:34 -0600

FranciscoD_ gravatar image

I'm trying to run OpenVPN under Fedora 19 with selinux (selinux-policy-targeted) in enforcing mode, and I'm running into an AVC I'm not entirely sure how to handle.

Starting OpenVPN from the command line as root works fine, but starting it via systemd (systemctl start openvpn@vpcbridge, where /etc/openvpn/vpcbridge.conf exists) results in:

  ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)

And in /var/log/audit:

  type=AVC msg=audit(1376412420.435:60): avc:  denied  { relabelfrom } for
  pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
  tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket

For reference, here's the OpenVPN configuration:

port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120
persist-tun
persist-key

If I run audit2allow, I get a module file that looks like this:

  module openvpn 1.0;

  require {
        type openvpn_t;
        type ifconfig_t;
        class tun_socket relabelfrom;
  }

  #============= openvpn_t ==============
  allow openvpn_t ifconfig_t:tun_socket
  relabelfrom;

But loading that generates an error:

  # semodule -i openvpn.pp
  libsepol.print_missing_requirements: openvpn's global requirements were
  not met: type/attribute openvpn_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file or
  directory).
  semodule:  Failed!

I'm not sure what do do with this error.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
2

answered 2013-08-14 06:09:37 -0600

domg472 gravatar image

updated 2013-08-14 06:33:58 -0600

The problem is That you are trying overwrite the existing openvpn policy module by naming your policy module the same, and trying to install it.

Good Thing it fails ;)

The issue in more details is the following:

You require type openvpn_t in your openvpn policy module Your module uses the same name "openvpn" as the existing openvpn policy module

So you are effectively trying to overwrite the openvpn module with a module that actually depends on a type declared in that module by trying to install it

So semodule fails and says, The type used in this module is not available ( and that true because you are trying to overwrite the module that has it declared )

The solution is to use a unique name for your module, for example:

"myopenvpn"

echo "avc:  denied  { relabelfrom } for pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket" | audit2allow -M myopenvpn; sudo semodule -i myopenvpn.pp
edit flag offensive delete link more
0

answered 2013-08-13 19:10:53 -0600

FranciscoD_ gravatar image

If generating a policy doesn't work, you should file a bug and let selinux upstream take a look at it. They are generally very very quick with fixes once a bug is filed. I recommend you file a bug using the sealert tool.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-08-13 13:28:41 -0600

Seen: 3,319 times

Last updated: Aug 14 '13