1165110 – openvpn broken in selinux-policy-3.13.1-92.fc21.noarch

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1165110 - openvpn broken in selinux-policy-3.13.1-92.fc21.noarch

Summary: openvpn broken in selinux-policy-3.13.1-92.fc21.noarch

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Duplicates (4):	1164182 1165572 1165574 1165575 (view as bug list)
Depends On:
Blocks:	F21FinalFreezeException
TreeView+	depends on / blocked

Reported:	2014-11-18 11:19 UTC by James Patterson
Modified:	2014-12-07 22:18 UTC (History)
CC List:	20 users (show)
Fixed In Version:	selinux-policy-3.13.1-99.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-03 17:15:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James Patterson 2014-11-18 11:19:14 UTC

Description of problem:


Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                NetworkManager [ dir ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          host
Source RPM Packages           openvpn-2.3.4-4.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-92.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host
Platform                      Linux host 3.17.3-300.fc21.x86_64 #1 SMP Fri Nov
                              14 23:36:19 UTC 2014 x86_64 x86_64
Alert Count                   11
First Seen                    2014-11-17 12:31:02 CET
Last Seen                     2014-11-17 12:33:06 CET
Local ID                      a9ad2518-134e-4058-a3b5-4da330e61e6b

Raw Audit Messages
type=AVC msg=audit(1416223986.24:661): avc:  denied  { search } for  pid=4465 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=21098 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1416223986.24:661): arch=x86_64 syscall=bind success=no exit=EACCES a0=4 a1=7f35cba97464 a2=6e a3=21 items=0 ppid=4464 pid=4465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,NetworkManager_var_run_t,dir,search


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2014-11-19 12:50:55 UTC

commit 802bb95180f5b10ddb78a46a4b088997ce6314df
Author: Miroslav Grepl <mgrepl>
Date:   Tue Nov 18 14:54:30 2014 +0100

    Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.

Comment 2 Lukas Vrabec 2014-11-19 13:50:19 UTC

*** Bug 1165572 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2014-11-19 13:50:34 UTC

*** Bug 1165574 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2014-11-19 13:50:45 UTC

*** Bug 1165575 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2014-11-19 13:51:01 UTC

*** Bug 1164182 has been marked as a duplicate of this bug. ***

Comment 6 Tomas Mlcoch 2014-11-19 13:59:53 UTC

Description of problem:
I tried to connect to Red Hat VPN by Network Manager applet in Gnome 3 as usual (via OpenVPN), but this time, SELinux blocked it.

$ rpm -q libselinux selinux-policy selinux-policy-minimum NetworkManager NetworkManager-openvpn openvpn
libselinux-2.3-5.fc21.x86_64
selinux-policy-3.13.1-92.fc21.noarch
package selinux-policy-minimum is not installed
NetworkManager-0.9.10.0-13.git20140704.fc21.x86_64
NetworkManager-openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64
openvpn-2.3.4-4.fc21.x86_64

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 7 Nils Philippsen 2014-11-20 08:19:59 UTC

Description of problem:
Tried to connect to an OpenVPN using the NetworkManager GUI.

Version-Release number of selected component:
selinux-policy-3.13.1-98.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 8 Nils Philippsen 2014-11-20 08:22:29 UTC

I just installed -98 from koji in the hopes that it would solve my NM/OpenVPN connection issues, but ran into the following. I'm not sure why setroubleshoot suggests enabling 'daemons_enable_cluster_mode' (I'm not familiar with that boolean), maybe it allows the access as a side-effect. Here's the local module I installed on top of -98 with which NM can use OpenVPN again:

--- 8< --- localnmovpn.te ---
module localnmovpn 1.0;

require {
	type openvpn_t;
	type NetworkManager_t;
	class unix_stream_socket connectto;
}

#============= NetworkManager_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow NetworkManager_t openvpn_t:unix_stream_socket connectto;
--- >8 ----------------------

==========================================

SELinux is preventing /usr/libexec/nm-openvpn-service from 'connectto' accesses on the unix_stream_socket /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to enable cluster mode for daemons.
Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.
You can read 'openvpn_selinux' man page for more details.
Do
setsebool -P daemons_enable_cluster_mode 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that nm-openvpn-service should be allowed connectto access on the nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nm-openvpn-serv /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:openvpn_t:s0
Target Objects                /run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-
                              96ef-7b1a58e2137f [ unix_stream_socket ]
Source                        nm-openvpn-serv
Source Path                   /usr/libexec/nm-openvpn-service
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-
                              openvpn-0.9.9.0-3.20141110gitda5fb9b.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-98.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.3-300.fc21.x86_64 #1 SMP Fri
                              Nov 14 23:36:19 UTC 2014 x86_64 x86_64
Alert Count                   63
First Seen                    2014-11-19 00:20:33 CET
Last Seen                     2014-11-20 09:02:59 CET
Local ID                      bd395b04-fcb9-4699-9db7-949941da0a88

Raw Audit Messages
type=AVC msg=audit(1416470579.476:494): avc:  denied  { connectto } for  pid=3206 comm="nm-openvpn-serv" path="/run/NetworkManager/nm-openvpn-4c73ea1d-b59d-49dc-96ef-7b1a58e2137f" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=unix_stream_socket permissive=0


type=SYSCALL msg=audit(1416470579.476:494): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7ffffed4fbc0 a2=6e a3=1 items=0 ppid=1 pid=3206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-openvpn-serv exe=/usr/libexec/nm-openvpn-service subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: nm-openvpn-serv,NetworkManager_t,openvpn_t,unix_stream_socket,connectto

Comment 9 Sumit Bose 2014-11-20 10:17:32 UTC

I can confirm that with selinux-policy-3.13.1-98 and daemons_enable_cluster_mode on, my OpenVPN issues are gone.

If daemons_enable_cluster_mode if off, I see the same warnings as Nils.

Comment 10 Lukas Vrabec 2014-11-20 10:29:27 UTC

commit 7f138069a05a7940b0da1578d12f703d978b7020
Author: Lukas Vrabec <lvrabec>
Date:   Thu Nov 20 11:27:57 2014 +0100

    Allow NetworkManager stream connect on openvpn. BZ(1165110)

Comment 11 Sumit Bose 2014-11-20 11:55:47 UTC

Thank you, with selinux-policy-3.13.1-99.fc21 OpenVPN works even if daemons_enable_cluster_mode is off.

Comment 12 Fedora Update System 2014-11-21 12:24:10 UTC

selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21

Comment 13 Rui Gouveia 2014-11-24 10:08:11 UTC

Description of problem:
Trying to connect office VPN.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 14 Lukas Vrabec 2014-11-24 10:46:53 UTC

selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21

Comment 15 Adam Williamson 2014-11-28 01:32:18 UTC

Proposing as a freeze exception - without this, people will hit AVCs trying to setup OpenVPN connections from the Workstation live.

Comment 16 Dennis Gilmore 2014-11-28 01:36:09 UTC

+1 to Freeze Exception

Comment 17 d. johnson 2014-11-28 02:24:12 UTC

+1 to Freeze Exception

Ensuring that a user can VPN from the live image is a common use case.

Comment 18 Adam Williamson 2014-11-28 02:28:58 UTC

I figure this is fairly non-controversial so +3 from me, Dennis and d johnson (another QA folk) seems like enough to say AcceptedFreezeException, let's get it in RC1.

Comment 19 Mike Ruckman 2014-11-28 02:40:27 UTC

+1 FE for me as well.

Comment 20 Ulrich Drepper 2014-11-28 12:17:35 UTC

Description of problem:
I set up openvpn after I installed the machine.  Using the networkmanager GUI (Gnome) worked, I could start and stop the connection.  Now after some updates and/or reboots I get the SELinux error.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-300.fc21.x86_64
type:           libreport

Comment 21 Ulrich Drepper 2014-11-28 12:26:38 UTC

3.13.1-100 indeed seems to fix the issue and nothing negative is observed either.

Comment 22 Lukas Vrabec 2014-11-28 13:00:58 UTC

Everything should be fine with this build selinux-policy-3.13.1-99.fc21.
http://koji.fedoraproject.org/koji/buildinfo?buildID=594484

Comment 23 Adam Williamson 2014-11-29 04:08:32 UTC

yes, this was nominated as FE so we could put -99 in Final RC1, basically.

Comment 24 Jared Smith 2014-11-30 13:45:05 UTC

Description of problem:
Trying to connect with OpenVPN

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 25 Jared Smith 2014-11-30 13:49:09 UTC

Description of problem:
Attempting to connect to a VPN using NetworkManager-OpenVPN

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 26 Fedora Update System 2014-12-03 17:15:32 UTC

selinux-policy-3.13.1-99.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Gareth Williams 2014-12-07 22:18:11 UTC

Description of problem:
Attempted to connect to OpenVPN server from NetworkManger and SELinux Alert popped up.

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-300.fc21.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.

andreasfleig
awilliam
dominick.grift
drepper
drjohnson1
dwalsh
gareth
jsmith.fedora
junk
lvrabec
mgrepl
mruckman
ngc2997
nphilipp
pbonzini
plautrba
rui.gouveia
satellitgo
sbose
tmlcoch