The current openvpn policy allows openvpn_t to manage_dirs, append_files, create_files and setattr_files on openvpn_var_log_t but it doesn't allow it to 'write' on those files. The status file of openvpn (option status in the configuration file) is not a log file in which logs are appended but rewritten, thus which need 'write'. Example avc: avc: denied { write } for pid=23436 comm="openvpn" name="openvpn-status.log" dev="sda1" ino=560037 scontext=staff_u:system_r:openvpn_t tcontext=system_u:object_r:openvpn_var_log_t tclass=file
Is this only for the openvpn-status.log file?
As per the IRC chat: this is only for openvpn-status.log, which is not really a log file but a status file. So it might make sense to use a different type for this (like openvpn_status_t). As the openvpn-status.log file is, by default, in the openvpn log location, we can use a named file transition to make sure this file, if created, always has the right context.
Care to try out the following? """ policy_module(extraopenvpn, 0.1) gen_require(` type openvpn_var_log_t; type openvpn_t; ') type openvpn_status_t; files_log_file(openvpn_status_t) manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_status_t) logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") """ Load in this policy, perhaps even remove the openvpn-status.log file and try it again. It *should* automatically save the file as openvpn_status_t (cfr the filetrans) and have write privileges on it (the manage_files_pattern). To ensure that the type isn't relabeled with a system relabel, you might need to run: semanage fcontext -a -t openvpn_status_t "/var/log/openvpn/openvpn-status.log" or whatever the path is to the openvpn-status.log file. If it works, and I add it to the policy, you will get a failure when you load the new policy in (duplicate definition of openvpn_status). When that occurs, remember to remove the extraopenvpn (semodule -r extraopenvpn) and retry.
Thanks for the module. I just replaced files_log_file with logging_log_file because I don't have such an interface in my SELinux installation. It works well: the new status file have the right type and openvpn can write in it :) For the file context, I didn't add anything yet. In my installation, the status file appears direclty in /var/log/ (no sub-directory). Do you think you could replace, in the current policy: ''' /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) ''' with: ''' /var/log/openvpn-status.log -- gen_context(system_u:object_r:openvpn_status_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) ''' or something like: ''' /var/log/(.*/)?openvpn-status.log -- gen_context(system_u:object_r:openvpn_status_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) ''' ?
Fixed in repo, will be in r8
r8 in hardened-dev overlay
r8 is now in main tree, ~arch
r8 is now stable
