fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: avc { module_request, relabelfrom }: openvpn->

avc { module_request, relabelfrom }: openvpn->tun

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sat Aug 14 2010 - 17:00:54 GMT
To: selinux@lists.fedoraproject.org

When trying to start openvpn with 'service openvpn start'
(selinux=enforced) I get the following avc (audit.log):

----audit.log---------------
type=AVC msg=audit(1281803077.151:21): avc: denied { module_request }
for pid=1943 comm="openvpn" kmod="char-major-10-200"
scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5
success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1
pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------

-----var/log/messages-------
Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev
/dev/net/tun: No such device (errno=19)
Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:24:37 test1 openvpn[1943]: Exiting
-------------------

When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
nobody' it works OK, but when I try to start openvpn it again fails with
the following avc:

----audit.log---------------
type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=tun_socket
type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54
success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0
ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
-------------------

-----var/log/messages-------
Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0:
Permission denied (errno=13)
Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel
2.2 TUN/TAP interface
Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0:
No such file or directory (errno=2)
Aug 14 17:29:22 test1 openvpn[2007]: Exiting
-------------------

Any idea what might be the cause of this problem?

openvpn normally tries to open tun0, assign its IP address, net mask and
broadcast address, then reassign the routing on this particular machine
- nothing suspicious really!
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux