openvpn on fedora 7

[Daniel J Walsh]

Matthew Gillen wrote:
> Philip Tricca wrote:
>   
>> Matthew Gillen wrote:
>>     
>>> I had to add the following module before openvpn would work.  The
>>> first issue
>>> was that openvpn didn't have permission to write a .pid file to
>>> /var/run/openvpn.  The other problem seemed to be that a TCP socket
>>> could not
>>> be created (the name_connect part).
>>>
>>> The dac_override is something that I don't get.  Why would openvpn
>>> need that?
>>>  Unix permissions problems?
>>>       
>> I believe "dac_override" means that a process running as root is trying
>> to violate the DAC policy.  Consider a file owned by user Alice with rw
>> permissions for the owner, all else denied (600).  Historically the root
>> user is identified by the kernel and all DAC checks are bypassed.
>> SELinux prevents processes running with roots uid from doing such
>> things.  This is a good example of SELinux attempting to turn root into
>> just another regular user.
>>     
>
> That's pretty cool.
>
>   
>> I've run into these things when my daemon, which is typically run as a
>> lesser privileged user, is run as root.  dac_override avcs were
>> generated for reading all of the config files and writing to the log
>> files (the ones that were already created).
>>     
>
> Ok, so probably the unix permissions on /var/run/openvpn are messed up, where
> it's owned by the openvpn user but it writes the pid file while running as
> root before it drops privs.  So if I fixed the unix perms I could probably
> purge the dac_override part.
>
> Thanks for the explanation.
>
> Matt
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
I have added these rules to selinux-policy-2.6.4-14