openvpn on fedora 7
Matthew Gillen
matt at gillens.us
Fri Jun 8 17:17:25 UTC 2007
Philip Tricca wrote:
> Matthew Gillen wrote:
>> I had to add the following module before openvpn would work. The
>> first issue
>> was that openvpn didn't have permission to write a .pid file to
>> /var/run/openvpn. The other problem seemed to be that a TCP socket
>> could not
>> be created (the name_connect part).
>>
>> The dac_override is something that I don't get. Why would openvpn
>> need that?
>> Unix permissions problems?
>
> I believe "dac_override" means that a process running as root is trying
> to violate the DAC policy. Consider a file owned by user Alice with rw
> permissions for the owner, all else denied (600). Historically the root
> user is identified by the kernel and all DAC checks are bypassed.
> SELinux prevents processes running with roots uid from doing such
> things. This is a good example of SELinux attempting to turn root into
> just another regular user.
That's pretty cool.
> I've run into these things when my daemon, which is typically run as a
> lesser privileged user, is run as root. dac_override avcs were
> generated for reading all of the config files and writing to the log
> files (the ones that were already created).
Ok, so probably the unix permissions on /var/run/openvpn are messed up, where
it's owned by the openvpn user but it writes the pid file while running as
root before it drops privs. So if I fixed the unix perms I could probably
purge the dac_override part.
Thanks for the explanation.
Matt
More information about the fedora-selinux-list
mailing list