openvpn and script execution

Dominick Grift domg472 at gmail.com
Sat Sep 11 15:03:27 UTC 2010 

On Sat, Sep 11, 2010 at 03:24:25PM +0100, Mr Dash Four wrote:
> I am trying to run openvpn within confined environment where the process 
> runs under limited user/group (called _openvpn) and also using a 
> specific SELinux context (allowed by openvpn itself when using the 
> --setcon option). As part of this setup I also use the --iproute 
> <ip-script>, --route-noexec and --route-up <route-up-script> options to 
> provide the running of /sbin/ip and other such commands requiring 
> privilege escalation (this is all done with sudo statements in those 
> scripts).
> 
> The role of the <ip-script> is to set the options of the tun0 device on 
> startup and then reset it when needed on ip address change or shutdown. 
> There is a 'filter' implemented in this script, which prohibits adding 
> or deleting routes (they are explicitly set with the route-up-script 
> during startup and are not touched until the shutdown script is called 
> when they are deleted and previous routes are then restored).
> 
> The role of the route-up-script is to set the routes, but just once (if 
> called more than once it exits with status 0).
> 
> The role of the shutdown script is to reset the tun0 device, remove 
> routes related to the openvpn and restore previous routes on the 
> internal network. The startup and shutdown scripts which are executed by 
> openvpn init.d script.
> 
> During startup and shutdown I am getting various AVCs, related, mainly 
> to sudo, but also to openvpn itself. Here they are:
> 
> During openvpn startup (sudo-related):
> 
> type=AVC msg=audit(1284210049.555:96): avc:  denied  { getattr } for  
> pid=2621 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284210049.555:96): arch=40000003 syscall=195 
> success=yes exit=0 a0=8372838 a1=bfb19650 a2=b89ff4 a3=8372838 items=0 
> ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284210049.558:97): avc:  denied  { execute } for  
> pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284210049.558:97): arch=40000003 syscall=33 
> success=yes exit=0 a0=8372838 a1=1 a2=b89ff4 a3=8372838 items=0 
> ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284210049.559:98): avc:  denied  { read } for  
> pid=2621 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284210049.559:98): arch=40000003 syscall=33 
> success=yes exit=0 a0=8372838 a1=4 a2=b89ff4 a3=8372838 items=0 
> ppid=2618 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1 comm="<ip-script>" exe="/bin/bash" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284210049.564:99): avc:  denied  { open } for  
> pid=2622 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=AVC msg=audit(1284210049.564:99): avc:  denied  { execute_no_trans 
> } for  pid=2622 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 
> ino=3226 scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284210049.564:99): arch=40000003 syscall=11 
> success=yes exit=0 a0=8372838 a1=83716c0 a2=83713a8 a3=83716c0 items=0 
> ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284210049.590:100): avc:  denied  { sys_resource } 
> for  pid=2622 comm="sudo" capability=24  
> scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=capability
> type=AVC msg=audit(1284210049.590:100): avc:  denied  { setrlimit } for  
> pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
> type=SYSCALL msg=audit(1284210049.590:100): arch=40000003 syscall=75 
> success=yes exit=0 a0=6 a1=bff9a1a8 a2=2afff4 a3=f01ce0 items=0 
> ppid=2621 pid=2622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284210049.636:102): avc:  denied  { setsched } for  
> pid=2622 comm="sudo" scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
> type=SYSCALL msg=audit(1284210049.636:102): arch=40000003 syscall=97 
> success=yes exit=0 a0=0 a1=0 a2=0 a3=bff99b34 items=0 ppid=2621 pid=2622 
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
> subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
> 
> Also during openvpn startup, but related to openvpn itself (the possible 
> cause of this is the --setcon openvpn option!):
> 
> type=AVC msg=audit(1284210049.853:110): avc:  denied  { setcurrent } 
> for  pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:system_r:openvpn_t:s0 tclass=process
> type=AVC msg=audit(1284210049.853:110): avc:  denied  { dyntransition } 
> for  pid=2618 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 
> tcontext=system_u:system_r:openvpn_t:s0 tclass=process
> type=SYSCALL msg=audit(1284210049.853:110): arch=40000003 syscall=4 
> success=yes exit=31 a0=6 a1=97125d0 a2=1f a3=97125d0 items=0 ppid=1 
> pid=2618 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 
> sgid=499 fsgid=499 tty=(none) ses=1 comm="openvpn" 
> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
> 
> 
> On openvpn shutdown, I get very similar sudo-related permissions as I 
> did during startup:
> 
> type=AVC msg=audit(1284209679.447:83): avc:  denied  { getattr } for  
> pid=2589 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 ino=3226 
> scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284209679.447:83): arch=40000003 syscall=195 
> success=yes exit=0 a0=9509630 a1=bfadafa0 a2=491ff4 a3=9509630 items=0 
> ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 
> egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" 
> exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284209679.453:84): avc:  denied  { execute } for  
> pid=2589 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
> scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284209679.453:84): arch=40000003 syscall=33 
> success=yes exit=0 a0=9509630 a1=1 a2=491ff4 a3=9509630 items=0 
> ppid=2532 pid=2589 auid=0 uid=498 gid=499 euid=498 suid=498 fsuid=498 
> egid=499 sgid=499 fsgid=499 tty=(none) ses=1 comm="<ip-script>" 
> exe="/bin/bash" subj=system_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284209679.457:85): avc:  denied  { read open } for  
> pid=2590 comm="<ip-script>" name="sudo" dev=dm-0 ino=3226 
> scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=AVC msg=audit(1284209679.457:85): avc:  denied  { execute_no_trans 
> } for  pid=2590 comm="<ip-script>" path="/usr/bin/sudo" dev=dm-0 
> ino=3226 scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1284209679.457:85): arch=40000003 syscall=11 
> success=yes exit=0 a0=9509630 a1=9508ae0 a2=9508888 a3=9508ae0 items=0 
> ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 
> sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
> subj=system_u:system_r:openvpn_t:s0 key=(null)
> type=AVC msg=audit(1284209679.763:86): avc:  denied  { sys_resource } 
> for  pid=2590 comm="sudo" capability=24  
> scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:system_r:openvpn_t:s0 tclass=capability
> type=AVC msg=audit(1284209679.763:86): avc:  denied  { setrlimit } for  
> pid=2590 comm="sudo" scontext=system_u:system_r:openvpn_t:s0 
> tcontext=system_u:system_r:openvpn_t:s0 tclass=process
> type=SYSCALL msg=audit(1284209679.763:86): arch=40000003 syscall=75 
> success=yes exit=0 a0=6 a1=bf9cfb38 a2=6dbff4 a3=fc1ce0 items=0 
> ppid=2589 pid=2590 auid=0 uid=498 gid=499 euid=0 suid=0 fsuid=0 egid=499 
> sgid=499 fsgid=499 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" 
> subj=system_u:system_r:openvpn_t:s0 key=(null)
> 
> The above AVCs were produced when I switched SELinux to permissive mode 
> (setenforce 0) otherwise I wasn't able to run openvpn at all.
> 
> Is there any way I could get rid of those AVCs?
> 
> I am also not sure whether { setcurrent dyntransition } process 
> permissions should be allowed in the openvpn.te as, as far as I can see, 
> these are directly related to the use of the --setcon openvpn option.

I guess current policy does not support the openvpn --setcon option. Also i am not sure what context you specified with --setcon but it looks like you specified the same context as openvpn was running in. You could implement this functionality i guess though. You would have to create some domains for openvpn to transition to.

I am not sure why you are using sudo. If the rc script runs the scripts then the scripts probably run as root.

I would probably try this another way, without having to dyntransition. I am not sure what runs the scripts other then the open vpn rc script. But you could probably simply create domains for each script and let the rc script domain transiton to each scripts domain, The you could probably also do some nice things with role based access control.

What scripts are there and who/what runs each of them? Why are the running sudo, what makes you think they need it?

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100911/cc98e58d/attachment.bin

More information about the selinux mailing list