selinux – SELinux Re-labeling Problem When Running OpenVPN

fedoraopenvpnselinux

I'm trying to run OpenVPN under Fedora 19 with selinux
(selinux-policy-targeted) in enforcing mode, and I'm running into an AVC
I'm not entirely sure how to handle.

Starting OpenVPN from the command line as root works fine, but starting it
via systemd (systemctl start openvpn@vpcbridge, where
/etc/openvpn/vpcbridge.conf exists) results in:

  ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)

And in /var/log/audit:

  type=AVC msg=audit(1376412420.435:60): avc:  denied  { relabelfrom } for
  pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
  tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket

For reference, here's the OpenVPN configuration:

port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120
persist-tun
persist-key

If I run audit2allow, I get a module file that looks like this:

  module openvpn 1.0;

  require {
        type openvpn_t;
        type ifconfig_t;
        class tun_socket relabelfrom;
  }

  #============= openvpn_t ==============
  allow openvpn_t ifconfig_t:tun_socket
  relabelfrom;

But loading that generates an error:

  # semodule -i openvpn.pp
  libsepol.print_missing_requirements: openvpn's global requirements were
  not met: type/attribute openvpn_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file or
  directory).
  semodule:  Failed!

I'm not sure what to do with this error.

Update: As requested, the output of seinfo -t ...:

# seinfo -t | grep openvpn
   openvpn_tmp_t
   openvpn_unconfined_script_exec_t
   openvpn_status_t
   openvpn_etc_rw_t
   openvpn_var_lib_t
   openvpn_var_run_t
   openvpn_port_t
   openvpn_server_packet_t
   openvpn_etc_t
   openvpn_initrc_exec_t
   openvpn_var_log_t
   openvpn_unconfined_script_t
   openvpn_exec_t
   openvpn_t
   openvpn_client_packet_t

Best Answer

I don't have a Fedora system right now to check with, but now that I'm reading this some time later "openvpn" as a name seems kind of generic. To the point where it's possible that the OpenVPN package itself might have a module named that for the type information that it adds when it gets installed. Does this still happen if you give the module a different name? Like openvpn-tun or something?

I'm not 100% sure on the nitty-gritty details (this is basically just a wild guess) but it seems like it would create a conflict if the two modules had the same name. Especially if one module depended on information that was in the other.

EDIT:

Finally got home. Looks like there is a native SELinux module with that name:

[root@localhost test]# cat /etc/fedora-release 
Fedora release 18 (Spherical Cow)
[root@localhost test]# semodule -l | grep openvpn
openvpn 1.11.0

But it looks like I was wrong about how SELinux on Fedora works. It looks like it all comes in under a single policy package for the entire distribution:

[root@localhost modules]# pwd
/etc/selinux/targeted/modules/active/modules
[root@localhost modules]# ls -lh openvpn.pp
-rw-r--r--. 1 root root 12K Jun 27 08:59 openvpn.pp
[root@localhost modules]# rpm -qf $PWD/openvpn.pp
selinux-policy-targeted-3.11.1-98.fc18.noarch

Best Answer

Related Solutions

Linux – Allow certain risky behaviour of a single program in a safe way in SELinux

Related Question