Philip Tricca wrote: > Matthew Gillen wrote: >> I had to add the following module before openvpn would work. The >> first issue >> was that openvpn didn't have permission to write a .pid file to >> /var/run/openvpn. The other problem seemed to be that a TCP socket >> could not >> be created (the name_connect part). >> >> The dac_override is something that I don't get. Why would openvpn >> need that? >> Unix permissions problems? > > I believe "dac_override" means that a process running as root is trying > to violate the DAC policy. Consider a file owned by user Alice with rw > permissions for the owner, all else denied (600). Historically the root > user is identified by the kernel and all DAC checks are bypassed. > SELinux prevents processes running with roots uid from doing such > things. This is a good example of SELinux attempting to turn root into > just another regular user. That's pretty cool. > I've run into these things when my daemon, which is typically run as a > lesser privileged user, is run as root. dac_override avcs were > generated for reading all of the config files and writing to the log > files (the ones that were already created). Ok, so probably the unix permissions on /var/run/openvpn are messed up, where it's owned by the openvpn user but it writes the pid file while running as root before it drops privs. So if I fixed the unix perms I could probably purge the dac_override part. Thanks for the explanation. Matt -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
