[lug] Security problem opening Openvpn
Kevin Fenzi
kevin at scrye.com
Thu Dec 20 15:37:19 MST 2007
On Thu, 20 Dec 2007 15:52:23 -0500
gordongoldin at aim.com wrote:
>
> I upgraded to FC7.
>
> Openvpn will not start as a service.
>
> I CAN start it from the command line as root.
>
> I did:?? touch /.autorelabel?? - it looked like it worked.
Did you reboot after doing so?
It reads that on a boot and relabels files.
You can also manually try:
restorecon -Rv /etc/openvpn /var/log/openvpn* /var/run/openvpn
> I get from ?? ?? ?? ?? /var/log/messages?? ...? here are some
> excerpts
Yeah, looks like some of your file and/or directory contexts are messed
up. You can confirm this by doing a 'setenforce 0' then starting it, if
it works then the issues are all selinux related. You can re-enable
with 'setenforce 1'.
kevin
--
> ?Warning: Error redirecting stdout/stderr to --log file: openvpn.log:
> Permission denied (errno=13) ....
> ?? username = '[UNDEF]'
> ?? groupname = '[UNDEF]'
> ?? chroot_dir = '[UNDEF]'
> ?? cd_dir = '/etc/openvpn'
> ?? writepid = '/var/run/openvpn/server.pid'
> ....
> ?OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on
> Apr 26 2007 ?Note: cannot open openvpn-status.log for WRITE
> ?Note: cannot open ipp.txt for READ/WRITE
> ?Diffie-Hellman initialized with 1024 bit key
> ?TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
> ?TUN/TAP device tun0 opened
> ?TUN/TAP TX queue length set to 100
> ?/sbin/ip link set dev tun0 up mtu 1500
> ?/sbin/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2
> ?/sbin/ip route add 10.10.10.0/24 via 10.10.10.2
> ?Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0
> AF:3/1 ] ?Open error on pid file /var/run/openvpn/server.pid:
> Permission denied (errno=13) ?Exiting
>
> I get from ? ? ? ? ? ? more /var/log/audit/audit.log
>
>
> type=AVC msg=audit(1198182084.809:3197): avc:? denied? { write } for?
> pid=31311 comm="openvpn" name="openvpn.log" dev=sda2 ino=749252
> scontext=root:system_r:openvpn_t:s0 tcontext
> =root:object_r:openvpn_etc_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1198182084.809:3197): arch=40000003 syscall=5
> success=no exit=-13 a0=9bedf2c a1=241 a2=180 a3=9bedf2c items=0
> ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=root:system_r:openvpn_t:s0 key=(null)
>
> type=AVC msg=audit(1198182085.808:3198): avc:? denied? { write } for?
> pid=31311 comm="openvpn" name="openvpn-status.log" dev=sda2
> ino=752456 scontext=root:system_r:openvpn_t:s0
> tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1198182085.808:3198): arch=40000003 syscall=5
> success=no exit=-13 a0=9bedefc a1=241 a2=180 a3=9bede01 items=0
> ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=root:system_r:openvpn_t:s0 key=(null)
>
> type=AVC msg=audit(1198182085.808:3199): avc:? denied? { write } for?
> pid=31311 comm="openvpn" name="ipp.txt" dev=sda2 ino=749917
> scontext=root:system_r:openvpn_t:s0
> tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=file type=SYSCALL
> msg=audit(1198182085.808:3199): arch=40000003 syscall=5 success=no
> exit=-13 a0=9bede3c a1=42 a2=180 a3=9bede01 items=0 ppid=31301
> pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=root:system_r:openvpn_t:s0 key=(null)
>
> type=AVC msg=audit(1198182085.808:3200): avc:? denied? { search }
> for? pid=31311 comm="openvpn" name="openvpn" dev=sda5 ino=224464
> scontext=root:system_r:openvpn_t:s0
> tcontext=system_u:object_r:openvpn_var_run_t:s0
> tclass=dirtype=SYSCALL msg=audit(1198182085.808:3200): arch=40000003
> syscall=5 success=no exit=-13 a0=bfdb9f32 a1=241 a2=1b6 a3=9bf1890
> items=0 ppid=31301 pid=31311 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts0 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=root:system_r:openvpn_t:s0 key=(null)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20071220/e52c8c8d/attachment.pgp>
More information about the LUG
mailing list