problem with selinux and openvpn
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 12 17:05:46 UTC 2007
Roger Grosswiler wrote:
>> Ron Yorston wrote:
>>
>>> Roger Grosswiler <roger at gwch.net> wrote:
>>>
>>>
>>>> Since f7, openvpn does no longer run in enforcing mode.
>>>>
>>>> audit2allow brings me this:
>>>>
>>>> require {
>>>> type openvpn_t;
>>>> type var_t;
>>>> type openvpn_var_run_t;
>>>> type hald_t;
>>>> type openvpn_etc_t;
>>>> class file write;
>>>> class dir { write search add_name };
>>>> }
>>>>
>>>> #============= hald_t ==============
>>>> allow hald_t var_t:dir write;
>>>>
>>>>
>> This looks like a labeling problem.
>>
>> Try this
>>
>> restorecon -R -v /var
>>
>>>> #============= openvpn_t ==============
>>>> allow openvpn_t openvpn_etc_t:file write;
>>>>
>>>>
>> This looks like a bug in openvpn
>>
>>>> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
>>>>
>>>>
>>>> how can i get this in, so i get it running?
>>>>
>>>>
>>> There was a thread about this on the fedora-selinux mailing list
>>> recently which might help:
>>>
>>> https://www.redhat.com/archives/fedora-selinux-list/2007-June/msg00048.html
>>>
>>> Ron
>>>
>>>
>>>
>> You should probably update to selinux-policy-2.6.4-13
>>
>>
>>
>>
> Ron:
> No, in /etc/openvpn i have the ipp.txt and another file to log and indicate the allowed
> and routed subnets.
>
> Dan:
> i have that policy installed. You mean selinux-policy-2.6.4-14 perhaps? I've seen a
> thread by the previous sent link, that you installed above information in the new
> policy-file.
>
> Roger
>
>
>
Not quite sure what these files are but it would be better to not have
writable files in /etc. Daemons should be writing to /var/log/daemon/
or /var/run
More information about the fedora-list
mailing list