OpenVPN SELinux Permission Denied

I am running CentOS 6.4.

# cat /etc/centos-release
CentOS release 6.4 (Final)

After some updates, and a reboot, OpenVPN fails to start.

# service openvpn start
Starting openvpn:                                          [FAILED]

/var/log/messages shows the following output on openvpn:

Nov 13 14:09:58 host kernel: type=1400 audit(1384344598.334:39761): avc:  denied  { read write } for  pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
Nov 13 14:09:58 host openvpn[5777]: Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied

So apparently it's an SELinux problem.

I tried updating to openvpn-2.3.2-2.el6.x86_64 as per this bug report but no success. How should I debug / fix this?

EDIT: Thanks to both Iain and Jiri Xichtkniha. I changed to location of the log file in /etc/openvpn/server.conf to read

status /var/log/openvpn-status.log

which works with current policy.


Solution 1:

A quick fix would be to change the log file to be /var/log/openvpn-status.log as the openvpn process is running as openvpn_t and it has permission within the policy to write to files labelled var_log_t (as /var/log should be).

The default context for /var/log/openvpn is openvpn_var_log_t

matchpathcon /var/log/openvpn
/var/log/openvpn        system_u:object_r:openvpn_var_log_t:s0

A longer process that requires slightly more management is to allow openvpn_t to write to openvpn_var_log_t which is the context that /var/log/openvpn gets e.g.

echo "host kernel: type=1400 audit(1384344598.334:39761): avc:  denied  { read write } for  pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn

which will generate a .pp file that you can install

semodule -i localOpenVpn.pp

Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.


For Jiri Xichtkniha

If you look at the generated .te file amongst other things it says

#============= openvpn_t ==============  
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t, 
  tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
  cluster_var_run_t, root_t, cluster_conf_t

Note that openvpn_var_log_t isn't listed.

Solution 2:

I don't use OpenVPN but you have different path to log than prepared OpenVPN policy uses. This would make it work.

# semanage fcontext -a -t openvpn_var_log_t '/var/log/openvpn(/.*)?'
# semanage fcontext -l | grep openvpn_var_log_t
/var/log/openvpn(/.*)?                             all files          system_u:object_r:openvpn_var_log_t:s0 
/var/log/openvpn.*                                 all files          system_u:object_r:openvpn_var_log_t:s0

The original policy is last line. As you can see it would just accept 'openvpn.*' but this does not recurse to subdir.