openvpn on fedora 7
Philip Tricca
phil at noggle.biz
Fri Jun 8 15:43:54 UTC 2007
Matthew Gillen wrote:
> I had to add the following module before openvpn would work. The first issue
> was that openvpn didn't have permission to write a .pid file to
> /var/run/openvpn. The other problem seemed to be that a TCP socket could not
> be created (the name_connect part).
>
> The dac_override is something that I don't get. Why would openvpn need that?
> Unix permissions problems?
I believe "dac_override" means that a process running as root is trying
to violate the DAC policy. Consider a file owned by user Alice with rw
permissions for the owner, all else denied (600). Historically the root
user is identified by the kernel and all DAC checks are bypassed.
SELinux prevents processes running with roots uid from doing such
things. This is a good example of SELinux attempting to turn root into
just another regular user.
I've run into these things when my daemon, which is typically run as a
lesser privileged user, is run as root. dac_override avcs were
generated for reading all of the config files and writing to the log
files (the ones that were already created).
> Here's the additional policy:
> -----------------------------
> require {
> type openvpn_t;
> type openvpn_port_t;
> type openvpn_var_run_t;
> class capability dac_override;
> class tcp_socket name_connect;
> class dir { write search add_name };
> }
>
> #============= openvpn_t ==============
> allow openvpn_t openvpn_port_t:tcp_socket name_connect;
> allow openvpn_t openvpn_var_run_t:dir { write search add_name };
> allow openvpn_t self:capability dac_override;
> -----------------------------
If I'm wrong here I trust some of the more knowledgeable folks will
chime in and correct me :-)
Cheers,
- Philip
More information about the fedora-selinux-list
mailing list