AVC denied messages for openvpn and procmail

Daniel J Walsh dwalsh at redhat.com
Mon Nov 27 19:49:54 UTC 2006 

Tony Molloy wrote:
> Hi,
>
> I'm trying to get up to speed on SElinux so sorry for being so long.
>
> I've managed to get rid of various avc denied messages. However I'm 
> getting the following two AVC denied messages from setroubleshoot. They 
> are not causing any problems but I would like to know how to go about 
> getting rid of them. Would I need to have some sort of local policy.
>
> I'll include the complete message here.
>
>   
>> Summary
>>     
>
>   
>> SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" 
>> to /etc/openvpn/openvpn.log (openvpn_etc_t).
>>     
>
>   
>> Detailed Description
>>     
>
>   
>> SELinux denied access requested by /sbin/ifconfig. It is not expected 
>> that this access is required by /sbin/ifconfig and this access may 
>> signal an intrusion attempt. It is also possible that the specific 
>> version or configuration of the application is causing it to require 
>> additional access.
>>     
>
>   
>> Allowing Access
>>     
>
>   
>> Sometimes labeling problems can cause SELinux denials. You could try to 
>> restore the default system file context for /etc/openvpn/openvpn.log, 
>> restorecon -v /etc/openvpn/openvpn.log If this does not work, there is 
>> currently no automatic way to allow this access. Instead, you can 
>> generate a local policy module to allow this access - see FAQ Or you can 
>> disable SELinux protection altogether. Disabling SELinux protection is 
>> not recommended. Please file a bug report against this package.
>>     
>
>   
>> Additional Information
>>     
>
>   
>> Source Context	system_u:system_r:ifconfig_t:s0
>> Target Context	system_u:object_r:openvpn_etc_t:s0
>> Target Objects	/etc/openvpn/openvpn.log [ file ]
>> Affected RPM Packages	net-tools-1.60-73 [application]
>> Policy RPM	selinux-policy-2.4.3-10.fc6
>> Selinux Enabled	True
>> Policy Type	targeted
>> MLS Enabled	True
>> Enforcing Mode	Enforcing
>> Plugin Name	plugins.catchall
>> Host Name	localhost
>> Platform	Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
>> 2006 i686 i686
>>     
>
>   
>> Raw Audit Messages
>>     
>
>   
>> avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0' 
>> exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0' 
>> name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983' 
>> scontext=system_u:system_r:ifconfig_t:s0 sgid='0' 
>> subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file' 
>> tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0' 
>>     
>
> This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log"  but 
> since openvpn.log is recreated on each boot then it's always going to 
> have the wrong label. How can I get rid of this. 
>   
This is a bug in openvpn.  Please report to them that they are leaking 
the open file descript to their log file.   Basically it is leaking a 
file descriptor which is causing this access.  This is not really a 
problem.  In that ifconfig does not need this access to function 
correctly.  You can tell setroubleshoot to ignore the message and it 
will stop bothering you, until openvpn fixes their problem.
>
>
>   
>> Summary
>>     
>
>   
>> SELinux is preventing access to files with the default label, default_t.
>>     
>
>   
>> Detailed Description
>>     
>
>   
>> These files have the default label on them. This can indicate a labeling 
>> problem, especially if the files being referred to are not top level 
>> directories. IE everything under /usr, /var. /dev, /tmp, ... should not 
>> be labeled with the default label. The default label is for files who do 
>> not have a label on a parent directory. So if you create a new directory 
>> in / you might legitimately get this label.
>>     
>
>   
>> Allowing Access
>>     
>
>   
>> If you want a confined domain to use these files you will probably need 
>> to relabel the file/directory with chcon. In some cases it is just 
>> easier to relabel the system, to relabel execute: "touch /.autorelabel; 
>> reboot"
>>     
>
>   
>> Additional Information
>>     
>
>   
>> Source Context	system_u:system_r:procmail_t:s0
>> Target Context	system_u:object_r:default_t:s0
>> Target Objects	/ [ dir ]
>> Affected RPM Packages	procmail-3.22-17.1 [application]filesystem-2.4.0-1 
>> [target]
>> Policy RPM	selinux-policy-2.4.3-10.fc6
>> Selinux Enabled	True
>> Policy Type	targeted
>> MLS Enabled	True
>> Enforcing Mode	Enforcing
>> Plugin Name	plugins.default
>> Host Name	localhost
>> Platform	Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 
>> 2006 i686 i686
>>     
>
>   
>> Raw Audit Messages
>>     
>
>   
>> avc: denied { search } for comm='"procmail"' dev='sda8' egid='12' 
>> euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0' 
>> gid='12' items='0' name='"/"' pid='3112' 
>> scontext=system_u:system_r:procmail_t:s0 sgid='12' 
>> subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir' 
>> tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' 
>>     
>
>
> Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc 
> denied message.
>
> Regards,
>
> Tony
>   

/ should be labeled root_t? not default_t?

ls -lZd /
restorcon /
ls -lZd /

More information about the fedora-selinux-list mailing list