Centos 5 + RPMForge : SELinux block OpenVPN form using
Daniel J Walsh
dwalsh at redhat.com
Sat Dec 6 11:37:26 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Manuel Wolfshant wrote:
> On 12/06/2008 01:17 PM, Manuel Wolfshant wrote:
>> On 12/06/2008 11:05 AM, Paul Howarth wrote:
>>> On Fri, 5 Dec 2008 23:13:13 -0600
>>> "Arthur Pemberton" <pemboa at gmail.com> wrote:
>>>
>>>
>>>> Audit message is:
>>>>
>>>> host=moriarty type=AVC msg=audit(1228539599.507:62): avc: denied {
>>>> execstack } for pid=4737 comm="openvpn"
>>>> scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
>>>> _t:s0 tclass=process
>>>>
>>>> host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
>>>> syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
>>>> a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
>>>> 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
>>>> ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
>>>> subj=user_u:system_r:openvpn_t:s0 key=(null)
>>>>
>>>> setroubleshoot had no suggestion. This only happens when the init
>>>> script is used. Direct infovation of openvpn as root does not cause
>>>> this.
>>>>
>>>> this google search suggests that this is a fairly popular problem with
>>>> no published solution (that I've seen):
>>>> http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
>>>>
>>>>
>>>>
>>>
>>> Does the same problem happen if you use the lzo and openvpn from EPEL?
>>>
>> openvpn from EPEL (+ the stack off libs needed and taken from EPEL,
>> too ) worked for me fine ever since it has been included over there. I
>> am using openvpn-2.1-0.29.rc15.el5.x86_64 in this very moment.
>> The version from rpmforge did indeed exhibit the same error as Paul
>> has seen (reason for the switch to EPEL, to be honest)
> sorry, I meant "Arthur has seen"
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Always better to use the EPEL versions, but you can also try to use
execstack -c to clear the execstack flag. Usually execstack means an
app was built correctly and does not really need execstack.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk6Y/YACgkQrlYvE4MpobPJQQCcCR/bCt2mEP9p/OpeSmtEqUpC
7CMAn3Ta/LhQaa0gEO/KaNkAij3dkj+/
=Nmwi
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list