[lug] Security problem opening Openvpn

gordongoldin at aim.com gordongoldin at aim.com
Thu Dec 20 13:52:23 MST 2007 

 I upgraded to FC7.

Openvpn will not start as a service.

I CAN start it from the command line as root.

I did:?? touch /.autorelabel?? - it looked like it worked.


I get from ??  ??  ??  ??  /var/log/messages?? ...? here are some excerpts

?Warning: Error redirecting stdout/stderr to --log file: openvpn.log: Permission denied (errno=13)
....
?? username = '[UNDEF]'
?? groupname = '[UNDEF]'
?? chroot_dir = '[UNDEF]'
?? cd_dir = '/etc/openvpn'
?? writepid = '/var/run/openvpn/server.pid'
....
?OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007
?Note: cannot open openvpn-status.log for WRITE
?Note: cannot open ipp.txt for READ/WRITE
?Diffie-Hellman initialized with 1024 bit key
?TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
?TUN/TAP device tun0 opened
?TUN/TAP TX queue length set to 100
?/sbin/ip link set dev tun0 up mtu 1500
?/sbin/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2
?/sbin/ip route add 10.10.10.0/24 via 10.10.10.2
?Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
?Open error on pid file /var/run/openvpn/server.pid: Permission denied (errno=13)
?Exiting

I get from ? ? ? ? ? ? more /var/log/audit/audit.log


type=AVC msg=audit(1198182084.809:3197): avc:? denied? { write } for? pid=31311 comm="openvpn" name="openvpn.log" dev=sda2 ino=749252 scontext=root:system_r:openvpn_t:s0 tcontext =root:object_r:openvpn_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1198182084.809:3197): arch=40000003 syscall=5 success=no exit=-13 a0=9bedf2c a1=241 a2=180 a3=9bedf2c items=0 ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)

type=AVC msg=audit(1198182085.808:3198): avc:? denied? { write } for? pid=31311 comm="openvpn" name="openvpn-status.log" dev=sda2 ino=752456 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1198182085.808:3198): arch=40000003 syscall=5 success=no exit=-13 a0=9bedefc a1=241 a2=180 a3=9bede01 items=0 ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)

type=AVC msg=audit(1198182085.808:3199): avc:? denied? { write } for? pid=31311 comm="openvpn" name="ipp.txt" dev=sda2 ino=749917 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1198182085.808:3199): arch=40000003 syscall=5 success=no exit=-13 a0=9bede3c a1=42 a2=180 a3=9bede01 items=0 ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)

type=AVC msg=audit(1198182085.808:3200): avc:? denied? { search } for? pid=31311 comm="openvpn" name="openvpn" dev=sda5 ino=224464 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_run_t:s0 tclass=dirtype=SYSCALL msg=audit(1198182085.808:3200): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb9f32 a1=241 a2=1b6 a3=9bf1890 items=0 ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)



 



Gordon Golding
Center for Innovation and Creativity


________________________________________________________________________
More new features than ever.  Check out the new AIM(R) Mail ! - http://webmail.aim.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20071220/91c7241b/attachment.html>

More information about the LUG mailing list