Matthew Gillen wrote:
Philip Tricca wrote:
Matthew Gillen wrote:
I had to add the following module before openvpn would work. The
first issue
was that openvpn didn't have permission to write a .pid file to
/var/run/openvpn. The other problem seemed to be that a TCP socket
could not
be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn
need that?
Unix permissions problems?
I believe "dac_override" means that a process running as root is trying
to violate the DAC policy. Consider a file owned by user Alice with rw
permissions for the owner, all else denied (600). Historically the root
user is identified by the kernel and all DAC checks are bypassed.
SELinux prevents processes running with roots uid from doing such
things. This is a good example of SELinux attempting to turn root into
just another regular user.
That's pretty cool.
I've run into these things when my daemon, which is typically run as a
lesser privileged user, is run as root. dac_override avcs were
generated for reading all of the config files and writing to the log
files (the ones that were already created).
Ok, so probably the unix permissions on /var/run/openvpn are messed up, where
it's owned by the openvpn user but it writes the pid file while running as
root before it drops privs. So if I fixed the unix perms I could probably
purge the dac_override part.
Thanks for the explanation.
Matt
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have added these rules to selinux-policy-2.6.4-14
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
