| Summary: | net-misc/openvpn-2.3.0 & sec-policy/selinux-openvpn-2.20120725-r12: missing /tmp type | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
| Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sec-policy r2 | ||
| Package list: | Runtime testing required: | --- | |
Is in repo, will be in rev 2 In repo, ~arch (rev 2 of the policies) r2 is now stable |
The new openvpn seems to use /tmp. The following errors occur when starting it: ''' # /etc/init.d/openvpn start * Starting openvpn ... * start-stop-daemon: failed to start `/usr/sbin/openvpn' * Check your logs to see why startup failed [ !! ] * ERROR: openvpn failed to start ==> openvpn.log <== Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission denied ==> avc.log <== ...: avc: denied { read write search } for pid=1613 comm="openvpn" name="/" dev="tmpfs" ino=3830 ipaddr=..... scontext=staff_u:system_r:openvpn_t tcontext=system_u:object_r:tmp_t tclass=dir ''' A grep 'tmp_dir' in the openvpn source seems to reveal that no folder is created in tmp_dir, only files (calls to create_temp_file and check_file_access only). The following declarations are enough to make openvpn start: ''' type openvpn_tmp_t; files_tmp_file(openvpn_tmp_t); manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t); files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file); '''