fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: avc { module_request, relabelfrom }: openvpn

Re: avc { module_request, relabelfrom }: openvpn->tun

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sun Aug 15 2010 - 11:04:06 GMT
To: Dominick Grift <domg472@gmail.com>, selinux@lists.fedoraproject.org

>> That did the trick!
>>
>> It was good that you've included this as a separate module so that I
>> could test it, otherwise I had to patch and recompile the whole
>> policy, then rebuild the image in order to test it and see whether
>> it works.
>>
>> I take it to make this a 'permanent' solution I have to patch and
>> include 'kernel_request_load_module(openvpn_t)' in openvpn.te
>> (forming part of the -44 policy), is that right?
>>
>
> Yes but Fedora should fix this. It is already fixed in f14 (v3.8.8-14). they just need to back port this to f13/f12
>
Agreed. I am waiting to see if this patch is going to work in the event
of connection reset/time out (in situations when the connection needs to
be re-established - with/without closing the tun device and possibly
re-establishing the ip address, routing and all other parameters) - in
that case the tun kernel module should already be loaded so if anything
goes wrong I am expecting 'relablefrom' avc to pop up. If not, then all
is well and I am applying this patch permanently.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux