avc { module_request, relabelfrom }: openvpn->tun
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 16 17:42:13 UTC 2010
On Sat, 2010-08-14 at 20:12 +0200, Dominick Grift wrote:
> On 08/14/2010 07:00 PM, Mr Dash Four wrote:
> > When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group
> > nobody' it works OK, but when I try to start openvpn it again fails with
> > the following avc:
> >
> > ----audit.log---------------
> > type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom }
> > for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=tun_socket
>
> This looks nasty. See if you can reproduce it with v3.8.8-14 or with the
> rule mentioned above loaded.
>
> Make sure you configure/operate openvpn it properly. Because i do not
> see why openvpn_t would need to relabel unconfined_t's tun_sockets.
See:
http://marc.info/?l=selinux&m=125149773203150&w=2
http://marc.info/?l=selinux&m=125149774103164&w=2
Attaching to an existing TUN device is modeled as a relabel operation.
This was discussed extensively earlier on selinux list prior to these patches.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list