Re: avc { module_request, relabelfrom }: openvpn->tun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/14/2010 07:00 PM, Mr Dash Four wrote:
> When trying to start openvpn with 'service openvpn start' 
> (selinux=enforced) I get the following avc (audit.log):
> 
> 
> ----audit.log---------------
> type=AVC msg=audit(1281803077.151:21): avc:  denied  { module_request } 
> for  pid=1943 comm="openvpn" kmod="char-major-10-200" 
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
> type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5 
> success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1 
> pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> -------------------

I think this was just added yesterday in v3.8.8-14 (see koji)

kernel_request_load_module(openvpn_t)


> -----var/log/messages-------
> Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev 
> /dev/net/tun: No such device (errno=19)
> Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel 
> 2.2 TUN/TAP interface
> Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0: 
> No such file or directory (errno=2)
> Aug 14 17:24:37 test1 openvpn[1943]: Exiting
> -------------------
> 
> When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group 
> nobody' it works OK, but when I try to start openvpn it again fails with 
> the following avc:
> 
> ----audit.log---------------
> type=AVC msg=audit(1281803362.451:23): avc:  denied  { relabelfrom } 
> for  pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tclass=tun_socket

This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
rule mentioned above loaded.

Make sure you configure/operate openvpn it properly. Because i do not
see why openvpn_t would need to relabel unconfined_t's tun_sockets.


> type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54 
> success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0 
> ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> -------------------
> 
> -----var/log/messages-------
> Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0: 
> Permission denied (errno=13)
> Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel 
> 2.2 TUN/TAP interface
> Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0: 
> No such file or directory (errno=2)
> Aug 14 17:29:22 test1 openvpn[2007]: Exiting
> -------------------
> 
> 
> Any idea what might be the cause of this problem?
> 
> openvpn normally tries to open tun0, assign its IP address, net mask and 
> broadcast address, then reassign the routing on this particular machine 
> - nothing suspicious really!
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux