I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
Here's the additional policy: ----------------------------- require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; }
#============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override; -----------------------------
Thanks, Matt
On Thursday 07 June 2007 18:22, Matthew Gillen wrote:
I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
Here's the additional policy:
require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; }
#============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override;
Thanks, Matt
--
Matt,
Thanks very much for the policy. But as a SElinux noobe how does one actually use it.
Regards,
Tony
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Tony Molloy wrote:
On Thursday 07 June 2007 18:22, Matthew Gillen wrote:
I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
Here's the additional policy:
module openvpn 1.0;
require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; }
#============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override;
Thanks, Matt
--
Matt,
Thanks very much for the policy. But as a SElinux noobe how does one actually use it.
Put the text above into a file named openvpn.te (note I added a line to the original before the 'require' section, I'm not sure if it's needed). Then execute the following commands:
checkmodule -M -m -o openvpn.mod openvpn.te semodule_package -o openvpn.pp -m openvpn.mod # build .pp file semodule -i openvpn.pp #insert the module into the current policy
You'll need the 'checkpolicy' and 'policycoreutils' rpms installed at the very least.
That should be all there is to it.
Matt
Matthew Gillen wrote:
I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
I believe "dac_override" means that a process running as root is trying to violate the DAC policy. Consider a file owned by user Alice with rw permissions for the owner, all else denied (600). Historically the root user is identified by the kernel and all DAC checks are bypassed. SELinux prevents processes running with roots uid from doing such things. This is a good example of SELinux attempting to turn root into just another regular user.
I've run into these things when my daemon, which is typically run as a lesser privileged user, is run as root. dac_override avcs were generated for reading all of the config files and writing to the log files (the ones that were already created).
Here's the additional policy:
require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; }
#============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override;
If I'm wrong here I trust some of the more knowledgeable folks will chime in and correct me :-)
Cheers, - Philip
Philip Tricca wrote:
Matthew Gillen wrote:
I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
I believe "dac_override" means that a process running as root is trying to violate the DAC policy. Consider a file owned by user Alice with rw permissions for the owner, all else denied (600). Historically the root user is identified by the kernel and all DAC checks are bypassed. SELinux prevents processes running with roots uid from doing such things. This is a good example of SELinux attempting to turn root into just another regular user.
That's pretty cool.
I've run into these things when my daemon, which is typically run as a lesser privileged user, is run as root. dac_override avcs were generated for reading all of the config files and writing to the log files (the ones that were already created).
Ok, so probably the unix permissions on /var/run/openvpn are messed up, where it's owned by the openvpn user but it writes the pid file while running as root before it drops privs. So if I fixed the unix perms I could probably purge the dac_override part.
Thanks for the explanation.
Matt
Matthew Gillen wrote:
Philip Tricca wrote:
Matthew Gillen wrote:
I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems?
I believe "dac_override" means that a process running as root is trying to violate the DAC policy. Consider a file owned by user Alice with rw permissions for the owner, all else denied (600). Historically the root user is identified by the kernel and all DAC checks are bypassed. SELinux prevents processes running with roots uid from doing such things. This is a good example of SELinux attempting to turn root into just another regular user.
That's pretty cool.
I've run into these things when my daemon, which is typically run as a lesser privileged user, is run as root. dac_override avcs were generated for reading all of the config files and writing to the log files (the ones that were already created).
Ok, so probably the unix permissions on /var/run/openvpn are messed up, where it's owned by the openvpn user but it writes the pid file while running as root before it drops privs. So if I fixed the unix perms I could probably purge the dac_override part.
Thanks for the explanation.
Matt
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have added these rules to selinux-policy-2.6.4-14
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Matthew Gillen -
Philip -
Tony Molloy