1164182 – SELinux prevents openvpn from accessing management socket

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1164182 - SELinux prevents openvpn from accessing management socket

Summary: SELinux prevents openvpn from accessing management socket

Keywords:
Status:	CLOSED DUPLICATE of bug 1165110
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1164186 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-14 09:33 UTC by Andreas Fleig
Modified:	2014-11-19 13:51 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-19 13:51:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andreas Fleig 2014-11-14 09:33:01 UTC

Description of problem:

NetworkManager-openvpn uses a management socket to send credentials to
openvpn child processes. In the latest package version, this socket is now a
Unix socket below /run/NetworkManager. SELinux prevents openvpn from accessing
this socket.


Version-Release number of selected component (if applicable):

NetworkManager-openvpn.3.20141110gitda5fb9b.fc21 (updates-testing)
selinux-policy.3.13.1


How reproducible:
always


Steps to Reproduce:
1. Create an OpenVPN connection through NetworkManager
2. Try to connect


Actual results:
SELinux prevents openvpn from accessing /var/run/NetworkManager, and therefore
openvpn never gets the credentials for the connection.


Expected results:
SELinux should allow openvpn to access the management socket (although not necessarily below /run/NetworkManager)


Additional info:

NetworkManager-openvpn, previously:
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=738fa8edb684e0968f1d52327e978066bca82484#n1123

NetworkManager-openvpn, now:
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=da5fb9#n1187


SETroubleshoot Details:

SELinux is preventing openvpn from search access on the directory NetworkManager.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed search access on the NetworkManager directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                NetworkManager [ dir ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          lski-029
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-92.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lski-029
Platform                      Linux lski-029 3.17.2-300.fc21.x86_64 #1 SMP Thu
                              Oct 30 19:23:48 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-11-14 09:36:18 CET
Last Seen                     2014-11-14 09:37:49 CET
Local ID                      f8abf0db-94b8-4aa5-b847-71d616e60e50

Raw Audit Messages
type=AVC msg=audit(1415954269.733:4013): avc:  denied  { search } for  pid=7508 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=19883 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0


Hash: openvpn,openvpn_t,NetworkManager_var_run_t,dir,search

Comment 1 Lukas Vrabec 2014-11-14 11:50:48 UTC

*** Bug 1164186 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2014-11-14 11:56:11 UTC

commit 1e7882e582e0d769e87263dd0f1dcb0feaa663b3
Author: Lukas Vrabec <lvrabec>
Date:   Fri Nov 14 12:54:40 2014 +0100

    Allow openvpn to stream connect to networkmanager. BZ(1164182)

Comment 3 Sumit Bose 2014-11-14 17:02:27 UTC

I now get 

type=AVC msg=audit(1415984220.840:449): avc:  denied  { write } for  pid=2327 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=21852 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0

with selinux-policy-3.13.1-96.fc21.

Comment 4 Suren Karapetyan 2014-11-17 08:30:37 UTC

Description of problem:
1. Create an openvpn connection with a pre-shared key from user's home directory (might be or not be important)
2. Activate the connection

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport

Comment 5 Dawid Zamirski 2014-11-17 12:38:25 UTC

Description of problem:
Tried to connect to openvpn network.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport

Comment 6 L.L.Robinson 2014-11-18 21:15:44 UTC

Description of problem:
Starting an existing VPN 

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.2-300.fc21.x86_64
type:           libreport

Comment 7 Paolo Bonzini 2014-11-19 09:14:11 UTC

Description of problem:
See also bug 1165572.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 8 Sumit Bose 2014-11-19 09:26:49 UTC

I get the following with selinux-policy-3.13.1-96.fc21.noarch in permissive mode:

# ausearch -ts recent -m AVC
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1041): avc:  denied  { write } for  pid=26587 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=22979 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1042): avc:  denied  { remove_name } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1043): avc:  denied  { unlink } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1044): avc:  denied  { add_name } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Nov 19 10:22:44 2014
type=AVC msg=audit(1416388964.261:1045): avc:  denied  { create } for  pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1



or in short

# ausearch -ts recent -m AVC | audit2allow


#============= openvpn_t ==============
allow openvpn_t NetworkManager_var_run_t:dir { write remove_name add_name };
allow openvpn_t NetworkManager_var_run_t:sock_file { create unlink };


HTH

bye,
Sumit

Comment 9 Lukas Vrabec 2014-11-19 13:51:01 UTC


*** This bug has been marked as a duplicate of bug 1165110 ***

Note You need to log in before you can comment on or make changes to this bug.