On 08/14/2010 07:00 PM, Mr Dash Four wrote:
When trying to start openvpn with 'service openvpn start'
(selinux=enforced) I get the following avc (audit.log):
----audit.log---------------
type=AVC msg=audit(1281803077.151:21): avc: denied { module_request }
for pid=1943 comm="openvpn" kmod="char-major-10-200"
scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5
success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1
pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------
I think this was just added yesterday in v3.8.8-14 (see koji)
kernel_request_load_module(openvpn_t)
-----var/log/messages-------
Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev
/dev/net/tun: No such device (errno=19)
Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:24:37 test1 openvpn[1943]: Exiting
-------------------
When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
nobody' it works OK, but when I try to start openvpn it again fails with
the following avc:
----audit.log---------------
type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=tun_socket
This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
rule mentioned above loaded.
Make sure you configure/operate openvpn it properly. Because i do not
see why openvpn_t would need to relabel unconfined_t's tun_sockets.
type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54
success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0
ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------
-----var/log/messages-------
Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0:
Permission denied (errno=13)
Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:29:22 test1 openvpn[2007]: Exiting
-------------------
Any idea what might be the cause of this problem?
openvpn normally tries to open tun0, assign its IP address, net mask and
broadcast address, then reassign the routing on this particular machine
- nothing suspicious really!
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux