OpenVPN SELinux Permission Denied

centos6openvpnselinux

I am running CentOS 6.4.

# cat /etc/centos-release
CentOS release 6.4 (Final)

After some updates, and a reboot, OpenVPN fails to start.

# service openvpn start
Starting openvpn:                                          [FAILED]

/var/log/messages shows the following output on openvpn:

Nov 13 14:09:58 host kernel: type=1400 audit(1384344598.334:39761): avc:  denied  { read write } for  pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
Nov 13 14:09:58 host openvpn[5777]: Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied

So apparently it's an SELinux problem.

I tried updating to openvpn-2.3.2-2.el6.x86_64 as per this bug report but no success. How should I debug / fix this?

EDIT: Thanks to both Iain and Jiri Xichtkniha. I changed to location of the log file in /etc/openvpn/server.conf to read

status /var/log/openvpn-status.log

which works with current policy.

Best Answer

A quick fix would be to change the log file to be /var/log/openvpn-status.log as the openvpn process is running as openvpn_t and it has permission within the policy to write to files labelled var_log_t (as /var/log should be).

The default context for /var/log/openvpn is openvpn_var_log_t

matchpathcon /var/log/openvpn
/var/log/openvpn        system_u:object_r:openvpn_var_log_t:s0

A longer process that requires slightly more management is to allow openvpn_t to write to openvpn_var_log_t which is the context that /var/log/openvpn gets e.g.

echo "host kernel: type=1400 audit(1384344598.334:39761): avc:  denied  { read write } for  pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn

which will generate a .pp file that you can install

semodule -i localOpenVpn.pp

Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.

For Jiri Xichtkniha

If you look at the generated .te file amongst other things it says

#============= openvpn_t ==============  
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t, 
  tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
  cluster_var_run_t, root_t, cluster_conf_t

Note that openvpn_var_log_t isn't listed.

Related Solutions

SELinux AVC denies at boot

The target types are file_t. That normally is the case where no type was ever set on the file and that is the default.

You'll need to relabel the filesystem in order to get things going again.

Normally the command fixfiles is used for this on redhat but I'm pretty sure that relates to RPM databases for some work so isn't likely as relevent in gentoo. You should be able to use restorecon though.

You'll need to boot into a permissive mode to try and relabel the filesystem.

Centos 6.3 PERL CGI selinux file read access

One way is with the 'chcon' command with the following:

chcon -Rv --type=httpd_sys_content_t /var/log/trafcount

This will get you access across reboots, but not across SELinux relabelings. In the long run, I'd suggest creating a custom type and creating a rule for that in SELinux so that both /var/log and Apache can happily continue to use it.

Source: http://wiki.centos.org/HowTos/SELinux (Lots of great stuff on SELinux under CentOS in there)

Best Answer

Related Solutions

SELinux AVC denies at boot

Centos 6.3 PERL CGI selinux file read access

Related Topic