fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: avc { module_request, relabelfrom }: openvpn

Re: avc { module_request, relabelfrom }: openvpn->tun

From: Dominick Grift <domg472_at_nospam>
Date: Sat Aug 14 2010 - 18:12:04 GMT
To: selinux@lists.fedoraproject.org

On 08/14/2010 07:00 PM, Mr Dash Four wrote:
> When trying to start openvpn with 'service openvpn start'
> (selinux=enforced) I get the following avc (audit.log):
>
>
> ----audit.log---------------
> type=AVC msg=audit(1281803077.151:21): avc: denied { module_request }
> for pid=1943 comm="openvpn" kmod="char-major-10-200"
> scontext=unconfined_u:system_r:openvpn_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
> type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5
> success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1
> pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> -------------------

I think this was just added yesterday in v3.8.8-14 (see koji)

kernel_request_load_module(openvpn_t)

> -----var/log/messages-------
> Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev
> /dev/net/tun: No such device (errno=19)
> Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel
> 2.2 TUN/TAP interface
> Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0:
> No such file or directory (errno=2)
> Aug 14 17:24:37 test1 openvpn[1943]: Exiting
> -------------------
>
> When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
> nobody' it works OK, but when I try to start openvpn it again fails with
> the following avc:
>
> ----audit.log---------------
> type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
> for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=tun_socket

This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
rule mentioned above loaded.

Make sure you configure/operate openvpn it properly. Because i do not
see why openvpn_t would need to relabel unconfined_t's tun_sockets.

> type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54
> success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0
> ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> -------------------
>
> -----var/log/messages-------
> Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0:
> Permission denied (errno=13)
> Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel
> 2.2 TUN/TAP interface
> Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0:
> No such file or directory (errno=2)
> Aug 14 17:29:22 test1 openvpn[2007]: Exiting
> -------------------
>
>
> Any idea what might be the cause of this problem?
>
> openvpn normally tries to open tun0, assign its IP address, net mask and
> broadcast address, then reassign the routing on this particular machine
> - nothing suspicious really!
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux