Can't run OpenVPN from /etc/init.d/openvpn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its dependent liblzo2 2.02 from RPMforge.net.

With SElinux disabled everything works nicely. However with SElinux enabled in enforcing targeted mode I can't run OpenVPN via /etc/init.d/openvpn:

~# /etc/init.d/openvpn start
Starting openvpn: /usr/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot enable executable stack as shared object requires: Permission denied
                                                           [FAILED]

At that time two new records appear in /var/log/audit/audit.log:

type=AVC msg=audit(1186574630.135:162): avc: denied { execstack } for pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0 tcontext=root:system_r:openvpn_t:s0 tclass=process

type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125 success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)

When I pass them to audit2allow I get:

allow openvpn_t self:process execstack;

So I did "audit2allow -M local && semodule -i local.pp" to enable it, but still no luck. "/etc/init.d/openvpn start" still fails with the above error about being unable to load liblzo2.so.2.

~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2*
system_u:object_r:initrc_exec_t  /etc/init.d/openvpn
system_u:object_r:openvpn_exec_t /usr/sbin/openvpn
system_u:object_r:lib_t        /usr/lib/liblzo2.so.2.0.0
system_u:object_r:lib_t        /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0

Interesting thing is that when I manually run /usr/sbin/openvpn it works fine:

~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf
Thu Aug 9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
[...]
Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link local: [undef]
Thu Aug  9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx
Thu Aug  9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx

What should I do to make it work from /etc/init.d on system boot as well?

Thanks!

Michal



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux