Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 397863 - net-misc/openvpn: add /var/run/openvpn to be ok with selinux and openvpn-status.log file
Summary: net-misc/openvpn: add /var/run/openvpn to be ok with selinux and openvpn-stat...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: William Hubbs
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2012-01-06 11:20 UTC by Veovis
Modified: 2018-03-10 11:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch file (openvpn-ebuild.patch,1.56 KB, patch)
2012-01-06 11:21 UTC, Veovis
Details | Diff
fix the run path on a selinux enforced box (openvpn-selinux.patch,963 bytes, patch)
2017-04-04 08:39 UTC, Veovis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Veovis 2012-01-06 11:20:07 UTC
This is a tiny patch to create a /var/run/openvpn folder.
Link to patch file: http://pastebin.com/H6UrCaaA

The aim of this folder is to have a selinux compliant folder to store openvpn-status.log file. This file is specified with status parameter key on openvpn.conf file.
With this folder and sec-policy/selinux-openvpn package, the /var/run/openvpn folder is correctly tagged and there is no more log of access denied by selinux.

Reproducible: Always

Steps to Reproduce:
1. Emerge and configure openvpn-2.1.4 using 'status' parameter on a selinux machine
2. run openvpn
3. you get "Jan  6 11:41:08 stormrage kernel: type=1400 audit(1325846468.091:685145): avc:  denied  { write } for  pid=2486 comm="openvpn" path="/etc/openvpn/openvpn-status.log" dev=sda2 ino=3934483 scontext=system_u:system_r:openvpn_t tcontext=system_u:object_r:openvpn_etc_t tclass=file" each time openvpn want to update this file.
Comment 1 Veovis 2012-01-06 11:21:14 UTC
Created attachment 298079 [details, diff]
Patch file

Adds /var/log/openvpn folder and redirects pid files to this directory.
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-01-29 16:28:53 UTC
(In reply to comment #1)
> Created attachment 298079 [details, diff] [details, diff]
> Patch file
> 
> Adds /var/log/openvpn folder and redirects pid files to this directory.

Excuse me, but your patch doesn't make sense. Where did you base it off?

% grep var/run openvpn-2.1.4.ebuild
%

% grep VPNPID files/*
files/openvpn-2.1.init:	VPNPID="/var/run/openvpn.${VPN}.pid"
files/openvpn-2.1.init:	VPNPID="/var/run/openvpn.pid"
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-01-29 16:29:33 UTC
Oh, nevermind. I now see that your patch was backwards.

It is "diff -u <old> <new>"
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2016-09-01 12:40:58 UTC
This bug has gotten really old, can you please retry with openvpn-2.3.12 and see if the issue still exists?
Comment 5 Veovis 2017-04-04 08:39:50 UTC
Created attachment 469136 [details, diff]
fix the run path on a selinux enforced box
Comment 6 Veovis 2017-04-04 08:40:10 UTC
You totally right.
I don't have any selinux box with openvpn right now but I can see from the current refpolicy that the issue remain.

selinux fc policy from https://github.com/TresysTechnology/refpolicy-contrib/blob/2128180acf3e02131dfb02d7cf1835d0a1f62b1b/openvpn.fc
/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
/run/openvpn\.client.*	--	gen_context(system_u:object_r:openvpn_var_run_t,s0)

current init file:
VPNPID="/var/run/openvpn.${VPN}.pid"
VPNPID="/var/run/openvpn.pid"

I noticed my first patch was wrong for multiple reasons.
I made another patch which create the /run/openvpn folder the right way.
I did not tested it yet.

It seems we are shifting from /var/run to /run, so I updated the init to reflect that.