On Sat, 2010-08-14 at 20:12 +0200, Dominick Grift wrote:
On 08/14/2010 07:00 PM, Mr Dash Four wrote:
> When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
> nobody' it works OK, but when I try to start openvpn it again fails with
> the following avc:
>
> ----audit.log---------------
> type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
> for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=tun_socket
This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
rule mentioned above loaded.
Make sure you configure/operate openvpn it properly. Because i do not
see why openvpn_t would need to relabel unconfined_t's tun_sockets.
See:
http://marc.info/?l=selinux&m=125149773203150&w=2
http://marc.info/?l=selinux&m=125149774103164&w=2
Attaching to an existing TUN device is modeled as a relabel operation.
This was discussed extensively earlier on selinux list prior to these patches.
--
Stephen Smalley
National Security Agency