openvpn and script execution

Mr Dash Four mr.dash.four at googlemail.com
Sat Sep 11 14:24:25 UTC 2010 

I am trying to run openvpn within confined environment where the process 
runs under limited user/group (called _openvpn) and also using a 
specific SELinux context (allowed by openvpn itself when using the 
--setcon option). As part of this setup I also use the --iproute 
<ip-script>, --route-noexec and --route-up <route-up-script> options to 
provide the running of /sbin/ip and other such commands requiring 
privilege escalation (this is all done with sudo statements in those 
scripts).

The role of the <ip-script> is to set the options of the tun0 device on 
startup and then reset it when needed on ip address change or shutdown. 
There is a 'filter' implemented in this script, which prohibits adding 
or deleting routes (they are explicitly set with the route-up-script 
during startup and are not touched until the shutdown script is called 
when they are deleted and previous routes are then restored).

The role of the route-up-script is to set the routes, but just once (if 
called more than once it exits with status 0).

The role of the shutdown script is to reset the tun0 device, remove 
routes related to the openvpn and restore previous routes on the 
internal network. The startup and shutdown scripts which are executed by 
openvpn init.d script.

During startup and shutdown I am getting various AVCs, related, mainly 
to sudo, but also to openvpn itself. Here they are:

During openvpn startup (sudo-related):

type=AVC msg=audit(1284210049.555:96): avc:  denied  { getattr } for  
pid=2621 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 
scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284210049.555:96): arch=40000003 syscall=195 
success=yes exit=0 a0=8372838 a1=bfb19650 a2=b89ff4 a3=8372838 items=0 
ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284210049.558:97): avc:  denied  { execute } for  
pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284210049.558:97): arch=40000003 syscall=33 
success=yes exit=0 a0=8372838 a1=1 a2=b89ff4 a3=8372838 items=0 
ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284210049.559:98): avc:  denied  { read } for  
pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284210049.559:98): arch=40000003 syscall=33 
success=yes exit=0 a0=8372838 a1=4 a2=b89ff4 a3=8372838 items=0 
ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284210049.564:99): avc:  denied  { open } for  
pid=2622 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1284210049.564:99): avc:  denied  { execute_no_trans 
} for  pid=2622 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 
ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284210049.564:99): arch=40000003 syscall=11 
success=yes exit=0 a0=8372838 a1=83716c0 a2=83713a8 a3=83716c0 items=0 
ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284210049.590:100): avc:  denied  { sys_resource } 
for  pid=2622 comm="sudo" capability=24  
scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=capability
type=AVC msg=audit(1284210049.590:100): avc:  denied  { setrlimit } for  
pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
type=SYSCALL msg=audit(1284210049.590:100): arch=40000003 syscall=75 
success=yes exit=0 a0=6 a1=bff9a1a8 a2=2afff4 a3=f01ce0 items=0 
ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284210049.636:102): avc:  denied  { setsched } for  
pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
type=SYSCALL msg=audit(1284210049.636:102): arch=40000003 syscall=97 
success=yes exit=0 a0=0 a1=0 a2=0 a3=bff99b34 items=0 ppid=2621 pid=2622 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

Also during openvpn startup, but related to openvpn itself (the possible 
cause of this is the --setcon openvpn option!):

type=AVC msg=audit(1284210049.853:110): avc:  denied  { setcurrent } 
for  pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
type=AVC msg=audit(1284210049.853:110): avc:  denied  { dyntransition } 
for  pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 
tcontext=system_u:system_r:openvpn_t:s0 tclass=process
type=SYSCALL msg=audit(1284210049.853:110): arch=40000003 syscall=4 
success=yes exit=31 a0=6 a1=97125d0 a2=1f a3=97125d0 items=0 ppid=1 
pid=2618 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 
sgid=499 fsgid=499 tty=(none) ses=1 comm="openvpn" 
exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)


On openvpn shutdown, I get very similar sudo-related permissions as I 
did during startup:

type=AVC msg=audit(1284209679.447:83): avc:  denied  { getattr } for  
pid=2589 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284209679.447:83): arch=40000003 syscall=195 
success=yes exit=0 a0=9509630 a1=bfadafa0 a2=491ff4 a3=9509630 items=0 
ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 
egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" 
exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284209679.453:84): avc:  denied  { execute } for  
pid=2589 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284209679.453:84): arch=40000003 syscall=33 
success=yes exit=0 a0=9509630 a1=1 a2=491ff4 a3=9509630 items=0 
ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 
egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" 
exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284209679.457:85): avc:  denied  { read open } for  
pid=2590 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1284209679.457:85): avc:  denied  { execute_no_trans 
} for  pid=2590 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 
ino=3226 scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1284209679.457:85): arch=40000003 syscall=11 
success=yes exit=0 a0=9509630 a1=9508ae0 a2=9508888 a3=9508ae0 items=0 
ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 
sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1284209679.763:86): avc:  denied  { sys_resource } 
for  pid=2590 comm="sudo" capability=24  
scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
type=AVC msg=audit(1284209679.763:86): avc:  denied  { setrlimit } for  
pid=2590 comm="sudo" scontext=system_u:system_r:openvpn_t:s0 
tcontext=system_u:system_r:openvpn_t:s0 tclass=process
type=SYSCALL msg=audit(1284209679.763:86): arch=40000003 syscall=75 
success=yes exit=0 a0=6 a1=bf9cfb38 a2=6dbff4 a3=fc1ce0 items=0 
ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 
sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
subj=system_u:system_r:openvpn_t:s0 key=(null)

The above AVCs were produced when I switched SELinux to permissive mode 
(setenforce 0) otherwise I wasn't able to run openvpn at all.

Is there any way I could get rid of those AVCs?

I am also not sure whether { setcurrent dyntransition } process 
permissions should be allowed in the openvpn.te as, as far as I can see, 
these are directly related to the use of the --setcon openvpn option.

More information about the selinux mailing list