fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: avc { module_request, relabelfrom }: openvpn

Re: avc { module_request, relabelfrom }: openvpn->tun

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sat Aug 14 2010 - 22:46:42 GMT
To: Dominick Grift <domg472@gmail.com>, selinux@lists.fedoraproject.org

> koji.fedoraproject.org/koji but i guess its for f14, so instead:
>>> kernel_request_load_module(openvpn_t)
> create module that allows openvpn_t to request the kernel to load a module:
> mkdir ~/myopenvpn; cd ~/myopenvpn;
> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te;
> echo "gen_require(\`" >> myopenvpn.te;
> echo "type openvpn_t;" >> myopenvpn.te;
> echo "')" >> myopenvpn.te;
> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te;
> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp
> sudo semodule -i myopenvpn.pp
That did the trick!

It was good that you've included this as a separate module so that I
could test it, otherwise I had to patch and recompile the whole policy,
then rebuild the image in order to test it and see whether it works.

I take it to make this a 'permanent' solution I have to patch and
include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming
part of the -44 policy), is that right?

> You can not define this rule for just a single particular module.
That's a pity, but I could live with that - auditd gives me a detailed
info when a module is loaded, so I can trace this anyway, so no big loss.

> See if you can reproduce it. unconfined_t (you) transition to the rc
> script domain when you run an rc script, the rc script domain in turn
> runs the openvpn executables.
> So with that in mind why would openvpn need to relabel unconfined_t
> tun_sockets?
I take it this gets called only if loading of the tun/tap module fails.
May be in a similar way as to when dac_* gets called - only in case the
'normal' permissions are too restrictive.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux