I am trying to run openvpn within confined environment where the process runs under limited user/group (called _openvpn) and also using a specific SELinux context (allowed by openvpn itself when using the --setcon option). As part of this setup I also use the --iproute <ip-script>, --route-noexec and --route-up <route-up-script> options to provide the running of /sbin/ip and other such commands requiring privilege escalation (this is all done with sudo statements in those scripts). The role of the <ip-script> is to set the options of the tun0 device on startup and then reset it when needed on ip address change or shutdown. There is a 'filter' implemented in this script, which prohibits adding or deleting routes (they are explicitly set with the route-up-script during startup and are not touched until the shutdown script is called when they are deleted and previous routes are then restored). The role of the route-up-script is to set the routes, but just once (if called more than once it exits with status 0). The role of the shutdown script is to reset the tun0 device, remove routes related to the openvpn and restore previous routes on the internal network. The startup and shutdown scripts which are executed by openvpn init.d script. During startup and shutdown I am getting various AVCs, related, mainly to sudo, but also to openvpn itself. Here they are: During openvpn startup (sudo-related): type=AVC msg=audit(1284210049.555:96): avc: denied { getattr } for pid=2621 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284210049.555:96): arch=40000003 syscall=195 success=yes exit=0 a0=8372838 a1=bfb19650 a2=b89ff4 a3=8372838 items=0 ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284210049.558:97): avc: denied { execute } for pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284210049.558:97): arch=40000003 syscall=33 success=yes exit=0 a0=8372838 a1=1 a2=b89ff4 a3=8372838 items=0 ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284210049.559:98): avc: denied { read } for pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284210049.559:98): arch=40000003 syscall=33 success=yes exit=0 a0=8372838 a1=4 a2=b89ff4 a3=8372838 items=0 ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284210049.564:99): avc: denied { open } for pid=2622 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=AVC msg=audit(1284210049.564:99): avc: denied { execute_no_trans } for pid=2622 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284210049.564:99): arch=40000003 syscall=11 success=yes exit=0 a0=8372838 a1=83716c0 a2=83713a8 a3=83716c0 items=0 ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284210049.590:100): avc: denied { sys_resource } for pid=2622 comm="sudo" capability=24 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=capability type=AVC msg=audit(1284210049.590:100): avc: denied { setrlimit } for pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process type=SYSCALL msg=audit(1284210049.590:100): arch=40000003 syscall=75 success=yes exit=0 a0=6 a1=bff9a1a8 a2=2afff4 a3=f01ce0 items=0 ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284210049.636:102): avc: denied { setsched } for pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process type=SYSCALL msg=audit(1284210049.636:102): arch=40000003 syscall=97 success=yes exit=0 a0=0 a1=0 a2=0 a3=bff99b34 items=0 ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) Also during openvpn startup, but related to openvpn itself (the possible cause of this is the --setcon openvpn option!): type=AVC msg=audit(1284210049.853:110): avc: denied { setcurrent } for pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process type=AVC msg=audit(1284210049.853:110): avc: denied { dyntransition } for pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=process type=SYSCALL msg=audit(1284210049.853:110): arch=40000003 syscall=4 success=yes exit=31 a0=6 a1=97125d0 a2=1f a3=97125d0 items=0 ppid=1 pid=2618 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) On openvpn shutdown, I get very similar sudo-related permissions as I did during startup: type=AVC msg=audit(1284209679.447:83): avc: denied { getattr } for pid=2589 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284209679.447:83): arch=40000003 syscall=195 success=yes exit=0 a0=9509630 a1=bfadafa0 a2=491ff4 a3=9509630 items=0 ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284209679.453:84): avc: denied { execute } for pid=2589 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284209679.453:84): arch=40000003 syscall=33 success=yes exit=0 a0=9509630 a1=1 a2=491ff4 a3=9509630 items=0 ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284209679.457:85): avc: denied { read open } for pid=2590 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=AVC msg=audit(1284209679.457:85): avc: denied { execute_no_trans } for pid=2590 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=SYSCALL msg=audit(1284209679.457:85): arch=40000003 syscall=11 success=yes exit=0 a0=9509630 a1=9508ae0 a2=9508888 a3=9508ae0 items=0 ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1284209679.763:86): avc: denied { sys_resource } for pid=2590 comm="sudo" capability=24 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=capability type=AVC msg=audit(1284209679.763:86): avc: denied { setrlimit } for pid=2590 comm="sudo" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=process type=SYSCALL msg=audit(1284209679.763:86): arch=40000003 syscall=75 success=yes exit=0 a0=6 a1=bf9cfb38 a2=6dbff4 a3=fc1ce0 items=0 ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:openvpn_t:s0 key=(null) The above AVCs were produced when I switched SELinux to permissive mode (setenforce 0) otherwise I wasn't able to run openvpn at all. Is there any way I could get rid of those AVCs? I am also not sure whether { setcurrent dyntransition } process permissions should be allowed in the openvpn.te as, as far as I can see, these are directly related to the use of the --setcon openvpn option. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux