Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1165110
Summary: | openvpn broken in selinux-policy-3.13.1-92.fc21.noarch | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Patterson <jamespatterson> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | andreasfleig, awilliam, dominick.grift, drepper, drjohnson1, dwalsh, gareth, jsmith.fedora, junk, lvrabec, mgrepl, mruckman, ngc2997, nphilipp, pbonzini, plautrba, rui.gouveia, satellitgo, sbose, tmlcoch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.13.1-99.fc21 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-03 17:15:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1043131 |
Description
James Patterson
2014-11-18 11:19:14 UTC
commit 802bb95180f5b10ddb78a46a4b088997ce6314df Author: Miroslav Grepl <mgrepl> Date: Tue Nov 18 14:54:30 2014 +0100 Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. *** Bug 1165572 has been marked as a duplicate of this bug. *** *** Bug 1165574 has been marked as a duplicate of this bug. *** *** Bug 1165575 has been marked as a duplicate of this bug. *** *** Bug 1164182 has been marked as a duplicate of this bug. *** Description of problem: I tried to connect to Red Hat VPN by Network Manager applet in Gnome 3 as usual (via OpenVPN), but this time, SELinux blocked it. $ rpm -q libselinux selinux-policy selinux-policy-minimum NetworkManager NetworkManager-openvpn openvpn libselinux-2.3-5.fc21.x86_64 selinux-policy-3.13.1-92.fc21.noarch package selinux-policy-minimum is not installed NetworkManager-0.9.10.0-13.git20140704.fc21.x86_64 NetworkManager-openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64 openvpn-2.3.4-4.fc21.x86_64 Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport Description of problem: Tried to connect to an OpenVPN using the NetworkManager GUI. Version-Release number of selected component: selinux-policy-3.13.1-98.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport I just installed -98 from koji in the hopes that it would solve my NM/OpenVPN connection issues, but ran into the following. I'm not sure why setroubleshoot suggests enabling 'daemons_enable_cluster_mode' (I'm not familiar with that boolean), maybe it allows the access as a side-effect. Here's the local module I installed on top of -98 with which NM can use OpenVPN again: --- 8< --- localnmovpn.te --- module localnmovpn 1.0; require { type openvpn_t; type NetworkManager_t; class unix_stream_socket connectto; } #============= NetworkManager_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow NetworkManager_t openvpn_t:unix_stream_socket connectto; --- >8 ---------------------- ========================================== SELinux is preventing /usr/libexec/nm-openvpn-service from 'connectto' accesses on the unix_stream_socket /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to enable cluster mode for daemons. Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean. You can read 'openvpn_selinux' man page for more details. Do setsebool -P daemons_enable_cluster_mode 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that nm-openvpn-service should be allowed connectto access on the nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nm-openvpn-serv /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:openvpn_t:s0 Target Objects /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc- 96ef-7b1a58e2137f [ unix_stream_socket ] Source nm-openvpn-serv Source Path /usr/libexec/nm-openvpn-service Port <Unknown> Host (removed) Source RPM Packages NetworkManager- openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-98.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.3-300.fc21.x86_64 #1 SMP Fri Nov 14 23:36:19 UTC 2014 x86_64 x86_64 Alert Count 63 First Seen 2014-11-19 00:20:33 CET Last Seen 2014-11-20 09:02:59 CET Local ID bd395b04-fcb9-4699-9db7-949941da0a88 Raw Audit Messages type=AVC msg=audit(1416470579.476:494): avc: denied { connectto } for pid=3206 comm="nm-openvpn-serv" path="/run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=unix_stream_socket permissive=0 type=SYSCALL msg=audit(1416470579.476:494): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7ffffed4fbc0 a2=6e a3=1 items=0 ppid=1 pid=3206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-openvpn-serv exe=/usr/libexec/nm-openvpn-service subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: nm-openvpn-serv,NetworkManager_t,openvpn_t,unix_stream_socket,connectto I can confirm that with selinux-policy-3.13.1-98 and daemons_enable_cluster_mode on, my OpenVPN issues are gone. If daemons_enable_cluster_mode if off, I see the same warnings as Nils. commit 7f138069a05a7940b0da1578d12f703d978b7020 Author: Lukas Vrabec <lvrabec> Date: Thu Nov 20 11:27:57 2014 +0100 Allow NetworkManager stream connect on openvpn. BZ(1165110) Thank you, with selinux-policy-3.13.1-99.fc21 OpenVPN works even if daemons_enable_cluster_mode is off. selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21 Description of problem: Trying to connect office VPN. Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21 Proposing as a freeze exception - without this, people will hit AVCs trying to setup OpenVPN connections from the Workstation live. +1 to Freeze Exception +1 to Freeze Exception Ensuring that a user can VPN from the live image is a common use case. I figure this is fairly non-controversial so +3 from me, Dennis and d johnson (another QA folk) seems like enough to say AcceptedFreezeException, let's get it in RC1. +1 FE for me as well. Description of problem: I set up openvpn after I installed the machine. Using the networkmanager GUI (Gnome) worked, I could start and stop the connection. Now after some updates and/or reboots I get the SELinux error. Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-300.fc21.x86_64 type: libreport 3.13.1-100 indeed seems to fix the issue and nothing negative is observed either. Everything should be fine with this build selinux-policy-3.13.1-99.fc21. http://koji.fedoraproject.org/koji/buildinfo?buildID=594484 yes, this was nominated as FE so we could put -99 in Final RC1, basically. Description of problem: Trying to connect with OpenVPN Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport Description of problem: Attempting to connect to a VPN using NetworkManager-OpenVPN Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport selinux-policy-3.13.1-99.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: Attempted to connect to OpenVPN server from NetworkManger and SELinux Alert popped up. Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-300.fc21.x86_64 type: libreport |