Ask Your Question

Openvpn and selinux issues

asked 2013-08-13 13:28:41 -0500

larsks gravatar image

updated 2013-08-13 19:11:34 -0500

FranciscoD_ gravatar image

I'm trying to run OpenVPN under Fedora 19 with selinux (selinux-policy-targeted) in enforcing mode, and I'm running into an AVC I'm not entirely sure how to handle.

Starting OpenVPN from the command line as root works fine, but starting it via systemd (systemctl start openvpn@vpcbridge, where /etc/openvpn/vpcbridge.conf exists) results in:

  ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)

And in /var/log/audit:

  type=AVC msg=audit(1376412420.435:60): avc:  denied  { relabelfrom } for
  pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0
  tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket

For reference, here's the OpenVPN configuration:

port 1194
user openvpn
dev tap0
proto udp
secret vpcbridge.key
keepalive 10 120

If I run audit2allow, I get a module file that looks like this:

  module openvpn 1.0;

  require {
        type openvpn_t;
        type ifconfig_t;
        class tun_socket relabelfrom;

  #============= openvpn_t ==============
  allow openvpn_t ifconfig_t:tun_socket

But loading that generates an error:

  # semodule -i openvpn.pp
  libsepol.print_missing_requirements: openvpn's global requirements were
  not met: type/attribute openvpn_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file or
  semodule:  Failed!

I'm not sure what do do with this error.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-08-14 06:09:37 -0500

domg472 gravatar image

updated 2013-08-14 06:33:58 -0500

The problem is That you are trying overwrite the existing openvpn policy module by naming your policy module the same, and trying to install it.

Good Thing it fails ;)

The issue in more details is the following:

You require type openvpn_t in your openvpn policy module Your module uses the same name "openvpn" as the existing openvpn policy module

So you are effectively trying to overwrite the openvpn module with a module that actually depends on a type declared in that module by trying to install it

So semodule fails and says, The type used in this module is not available ( and that true because you are trying to overwrite the module that has it declared )

The solution is to use a unique name for your module, for example:


echo "avc:  denied  { relabelfrom } for pid=720 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket" | audit2allow -M myopenvpn; sudo semodule -i myopenvpn.pp
edit flag offensive delete link more

answered 2013-08-13 19:10:53 -0500

FranciscoD_ gravatar image

If generating a policy doesn't work, you should file a bug and let selinux upstream take a look at it. They are generally very very quick with fixes once a bug is filed. I recommend you file a bug using the sealert tool.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2013-08-13 13:28:41 -0500

Seen: 3,396 times

Last updated: Aug 14 '13