Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 397863

Summary: net-misc/openvpn: add /var/run/openvpn to be ok with selinux and openvpn-status.log file
Product: Gentoo Linux Reporter: Veovis <veovis8>
Component: Current packagesAssignee: William Hubbs <williamh>
Status: UNCONFIRMED ---    
Severity: normal CC: cedk, chutzpah, gentoo, williamh
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: Patch file
fix the run path on a selinux enforced box

Description Veovis 2012-01-06 11:20:07 UTC
This is a tiny patch to create a /var/run/openvpn folder.
Link to patch file:

The aim of this folder is to have a selinux compliant folder to store openvpn-status.log file. This file is specified with status parameter key on openvpn.conf file.
With this folder and sec-policy/selinux-openvpn package, the /var/run/openvpn folder is correctly tagged and there is no more log of access denied by selinux.

Reproducible: Always

Steps to Reproduce:
1. Emerge and configure openvpn-2.1.4 using 'status' parameter on a selinux machine
2. run openvpn
3. you get "Jan  6 11:41:08 stormrage kernel: type=1400 audit(1325846468.091:685145): avc:  denied  { write } for  pid=2486 comm="openvpn" path="/etc/openvpn/openvpn-status.log" dev=sda2 ino=3934483 scontext=system_u:system_r:openvpn_t tcontext=system_u:object_r:openvpn_etc_t tclass=file" each time openvpn want to update this file.
Comment 1 Veovis 2012-01-06 11:21:14 UTC
Created attachment 298079 [details, diff]
Patch file

Adds /var/log/openvpn folder and redirects pid files to this directory.
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-01-29 16:28:53 UTC
(In reply to comment #1)
> Created attachment 298079 [details, diff] [details, diff]
> Patch file
> Adds /var/log/openvpn folder and redirects pid files to this directory.

Excuse me, but your patch doesn't make sense. Where did you base it off?

% grep var/run openvpn-2.1.4.ebuild

% grep VPNPID files/*
files/openvpn-2.1.init:	VPNPID="/var/run/openvpn.${VPN}.pid"
files/openvpn-2.1.init:	VPNPID="/var/run/"
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-01-29 16:29:33 UTC
Oh, nevermind. I now see that your patch was backwards.

It is "diff -u <old> <new>"
Comment 4 Manuel RĂ¼ger (RETIRED) gentoo-dev 2016-09-01 12:40:58 UTC
This bug has gotten really old, can you please retry with openvpn-2.3.12 and see if the issue still exists?
Comment 5 Veovis 2017-04-04 08:39:50 UTC
Created attachment 469136 [details, diff]
fix the run path on a selinux enforced box
Comment 6 Veovis 2017-04-04 08:40:10 UTC
You totally right.
I don't have any selinux box with openvpn right now but I can see from the current refpolicy that the issue remain.

selinux fc policy from
/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
/run/openvpn\.client.*	--	gen_context(system_u:object_r:openvpn_var_run_t,s0)

current init file:

I noticed my first patch was wrong for multiple reasons.
I made another patch which create the /run/openvpn folder the right way.
I did not tested it yet.

It seems we are shifting from /var/run to /run, so I updated the init to reflect that.