Re: openvpn on fedora 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Philip Tricca wrote:
> Matthew Gillen wrote:
>> I had to add the following module before openvpn would work.  The
>> first issue
>> was that openvpn didn't have permission to write a .pid file to
>> /var/run/openvpn.  The other problem seemed to be that a TCP socket
>> could not
>> be created (the name_connect part).
>>
>> The dac_override is something that I don't get.  Why would openvpn
>> need that?
>>  Unix permissions problems?
> 
> I believe "dac_override" means that a process running as root is trying
> to violate the DAC policy.  Consider a file owned by user Alice with rw
> permissions for the owner, all else denied (600).  Historically the root
> user is identified by the kernel and all DAC checks are bypassed.
> SELinux prevents processes running with roots uid from doing such
> things.  This is a good example of SELinux attempting to turn root into
> just another regular user.

That's pretty cool.

> I've run into these things when my daemon, which is typically run as a
> lesser privileged user, is run as root.  dac_override avcs were
> generated for reading all of the config files and writing to the log
> files (the ones that were already created).

Ok, so probably the unix permissions on /var/run/openvpn are messed up, where
it's owned by the openvpn user but it writes the pid file while running as
root before it drops privs.  So if I fixed the unix perms I could probably
purge the dac_override part.

Thanks for the explanation.

Matt

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux