-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zoltan Kota wrote: > Hi, > > In my F10 installation selinux seems to prevent working openvpn. After > connection openvpn wants to modify /etc/resolv.conf that is not > allowed I think. > > I start openvpn by the command > > [root@~]# /etc/init.d/openvpn start > > and I get selinux messages like this: > > --- > Summary: > SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t). > Detailed Description: > SELinux is preventing cp (openvpn_t) "write" to ./etc (etc_t). The SELinux type > etc_t, is a generic type for all files in the directory and very few processes > (SELinux Domains) are allowed to write to this SELinux type. This type of denial > usual indicates a mislabeled file. By default a file created in a directory has > the gets the context of the parent directory, but SELinux policy has rules about > the creation of directories, that say if a process running in one SELinux Domain > (D1) creates a file in a directory with a particular SELinux File Context (F1) > the file gets a different File Context (F2). The policy usually allows the > SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for > some reason a file (./etc) was created with the wrong context, this domain will > be denied. The usual solution to this problem is to reset the file context on > the target file, restorecon -v './etc'. If the file context does not change from > etc_t, then this is probably a bug in policy. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy > package. If it does change, you can try your application again to see if it > works. The file context could have been mislabeled by editing the file or moving > the file from a different directory, if the file keeps getting mislabeled, check > the init scripts to see if they are doing something to mislabel the file. > > Allowing Access: > You can attempt to fix file context by executing restorecon -v './etc' > Fix Command: > restorecon './etc' > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context system_u:object_r:etc_t:s0 > Target Objects ./etc [ dir ] > Source cp > Source Path /bin/cp > Port <Unknown> > ... > - > Summary: > SELinux is preventing dns.up (openvpn_t) "write" to ./resolv.conf (net_conf_t). > Detailed Description: > SELinux denied access requested by dns.up. It is not expected that this access > is required by dns.up and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for ./resolv.conf, > > restorecon -v './resolv.conf' > > If this does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context system_u:object_r:net_conf_t:s0 > Target Objects ./resolv.conf [ file ] > Source dns.up > Source Path /bin/bash > Port <Unknown> > ... > - > Summary: > SELinux is preventing dns.up (openvpn_t) "write" openvpn_t. > > Detailed Description: > SELinux denied access requested by dns.up. It is not expected that this access > is required by dns.up and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context unconfined_u:system_r:openvpn_t:s0 > Target Objects pipe [ fifo_file ] > Source dns.up > Source Path /bin/bash > Port <Unknown> > ... > - > Summary: > SELinux is preventing cut (openvpn_t) "getattr" openvpn_t. > > Detailed Description: > SELinux denied access requested by cut. It is not expected that this access is > required by cut and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context unconfined_u:system_r:openvpn_t:s0 > Target Objects pipe [ fifo_file ] > Source dns.up > Source Path /bin/bash > Port <Unknown> > ... > - > Summary: > SELinux is preventing cut (openvpn_t) "read" openvpn_t. > > Detailed Description: > SELinux denied access requested by cut. It is not expected that this access is > required by cut and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context unconfined_u:system_r:openvpn_t:s0 > Target Objects pipe [ fifo_file ] > Source dns.up > Source Path /bin/bash > Port <Unknown> > ... > - > Summary: > SELinux is preventing dns.up (openvpn_t) "append" to ./resolv.conf (net_conf_t). > > Detailed Description: > SELinux denied access requested by dns.up. It is not expected that this access > is required by dns.up and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for ./resolv.conf, > > restorecon -v './resolv.conf' > > If this does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > Source Context unconfined_u:system_r:openvpn_t:s0 > Target Context system_u:object_r:net_conf_t:s0 > Target Objects ./resolv.conf [ file ] > Source dns.up > Source Path /bin/bash > Port <Unknown> > ... > > --- > > How could I enable openvpn to work without disabling selinux? > Z You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-30.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk2o+AACgkQrlYvE4MpobPmkQCcDaxoFl14k1IgSEe5rBlB9+nS HXcAoIcmEvVUIkN1wdGBeh9AEc2cdSoP =9BZ3 -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
