I'm trying to run OpenVPN under Fedora 19 with selinux
(selinux-policy-targeted) in enforcing mode, and I'm running into an AVC
I'm not entirely sure how to handle.
Starting OpenVPN from the command line as root works fine, but starting it
via systemd (systemctl start openvpn@vpcbridge
, where
/etc/openvpn/vpcbridge.conf
exists) results in:
ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)
And in /var/log/audit
:
type=AVC msg=audit(1376412420.435:60): avc: denied { relabelfrom } for
pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket
For reference, here's the OpenVPN configuration:
port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120
persist-tun
persist-key
If I run audit2allow
, I get a module file that looks like this:
module openvpn 1.0;
require {
type openvpn_t;
type ifconfig_t;
class tun_socket relabelfrom;
}
#============= openvpn_t ==============
allow openvpn_t ifconfig_t:tun_socket
relabelfrom;
But loading that generates an error:
# semodule -i openvpn.pp
libsepol.print_missing_requirements: openvpn's global requirements were
not met: type/attribute openvpn_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
I'm not sure what to do with this error.
Update: As requested, the output of seinfo -t ...
:
# seinfo -t | grep openvpn
openvpn_tmp_t
openvpn_unconfined_script_exec_t
openvpn_status_t
openvpn_etc_rw_t
openvpn_var_lib_t
openvpn_var_run_t
openvpn_port_t
openvpn_server_packet_t
openvpn_etc_t
openvpn_initrc_exec_t
openvpn_var_log_t
openvpn_unconfined_script_t
openvpn_exec_t
openvpn_t
openvpn_client_packet_t
Best Answer
I don't have a Fedora system right now to check with, but now that I'm reading this some time later "openvpn" as a name seems kind of generic. To the point where it's possible that the OpenVPN package itself might have a module named that for the type information that it adds when it gets installed. Does this still happen if you give the module a different name? Like
openvpn-tun
or something?I'm not 100% sure on the nitty-gritty details (this is basically just a wild guess) but it seems like it would create a conflict if the two modules had the same name. Especially if one module depended on information that was in the other.
EDIT:
Finally got home. Looks like there is a native SELinux module with that name:
But it looks like I was wrong about how SELinux on Fedora works. It looks like it all comes in under a single policy package for the entire distribution: