fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: avc { module_request, relabelfrom }: openvpn

Re: avc { module_request, relabelfrom }: openvpn->tun

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sat Aug 14 2010 - 19:05:37 GMT
To: Dominick Grift <domg472@gmail.com>

> I think this was just added yesterday in v3.8.8-14 (see koji)
>
Where do I get/download this version? My 'fedora-update' repository says
3.7.19-44 is the latest version (the one I am using to compile/build the
image)! Am I missing something?

> kernel_request_load_module(openvpn_t)
>
Do I add this line in openvpn.te and then recompile the policy? Also,
this seems to be a blank policy to enable openvpn to load *any* kernel
module. If that is so, can I limit it to a particular module (say char
device 10, 200 which is the tun/tap kernel module)?

>> -----var/log/messages-------
>> Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev
>> /dev/net/tun: No such device (errno=19)
>> Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel
>> 2.2 TUN/TAP interface
>> Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0:
>> No such file or directory (errno=2)
>> Aug 14 17:24:37 test1 openvpn[1943]: Exiting
>> -------------------
>>
>> When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
>> nobody' it works OK, but when I try to start openvpn it again fails with
>> the following avc:
>>
>> ----audit.log---------------
>> type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
>> for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=tun_socket
>>
>
> This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
> rule mentioned above loaded.
>
Will try and let you know.

> Make sure you configure/operate openvpn it properly. Because i do not
> see why openvpn_t would need to relabel unconfined_t's tun_sockets.
>
I don't really know what that is - when openvpn starts it should open
tun0, reassign all its parameters (ip address, netmask, broadcast
address) and also modify the routing table (using /sbin/ip) on that
machine. May be that is where this re-labelling comes from? The log
below says that openvpn tries to ioctl TUNSETIFF on tun0, so that is
where it fails. Do you think it might be something wrong with the init.d
script? I can post it, but it is the standard openvpn script which comes
with the package.

>> type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54
>> success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0
>> ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn"
>> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
>> -------------------
>>
>> -----var/log/messages-------
>> Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0:
>> Permission denied (errno=13)
>> Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel
>> 2.2 TUN/TAP interface
>> Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0:
>> No such file or directory (errno=2)
>> Aug 14 17:29:22 test1 openvpn[2007]: Exiting
>> -------------------
>>
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux