Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Running openvpn without making Dan Walsh cry

I'm trying to run OpenVPN under Fedora 19 with selinux (selinux-policy-targeted) in enforcing mode, and I'm running into an AVC I'm not entirely sure how to handle.

Starting OpenVPN from the command line as root works fine, but starting it via systemd (systemctl start openvpn@vpcbridge, where /etc/openvpn/vpcbridge.conf exists) results in:

  ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)

And in /var/log/audit:

  type=AVC msg=audit(1376412420.435:60): avc:  denied  { relabelfrom } for
  pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
  tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket

For reference, here's the OpenVPN configuration:

port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120
persist-tun
persist-key

If I run audit2allow, I get a module file that looks like this:

  module openvpn 1.0;

  require {
        type openvpn_t;
        type ifconfig_t;
        class tun_socket relabelfrom;
  }

  #============= openvpn_t ==============
  allow openvpn_t ifconfig_t:tun_socket
  relabelfrom;

But loading that generates an error:

  # semodule -i openvpn.pp
  libsepol.print_missing_requirements: openvpn's global requirements were
  not met: type/attribute openvpn_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file or
  directory).
  semodule:  Failed!

I'm not sure what do do with this error.

Running openvpn without making Dan Walsh cryOpenvpn and selinux issues

I'm trying to run OpenVPN under Fedora 19 with selinux (selinux-policy-targeted) in enforcing mode, and I'm running into an AVC I'm not entirely sure how to handle.

Starting OpenVPN from the command line as root works fine, but starting it via systemd (systemctl start openvpn@vpcbridge, where /etc/openvpn/vpcbridge.conf exists) results in:

  ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)

And in /var/log/audit:

  type=AVC msg=audit(1376412420.435:60): avc:  denied  { relabelfrom } for
  pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
  tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket

For reference, here's the OpenVPN configuration:

port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120
persist-tun
persist-key

If I run audit2allow, I get a module file that looks like this:

  module openvpn 1.0;

  require {
        type openvpn_t;
        type ifconfig_t;
        class tun_socket relabelfrom;
  }

  #============= openvpn_t ==============
  allow openvpn_t ifconfig_t:tun_socket
  relabelfrom;

But loading that generates an error:

  # semodule -i openvpn.pp
  libsepol.print_missing_requirements: openvpn's global requirements were
  not met: type/attribute openvpn_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file or
  directory).
  semodule:  Failed!

I'm not sure what do do with this error.