OpenVPN SELinux Permission Denied
Solution 1
A quick fix would be to change the log file to be /var/log/openvpn-status.log as the openvpn process is running as openvpn_t and it has permission within the policy to write to files labelled var_log_t (as /var/log should be).
The default context for /var/log/openvpn is openvpn_var_log_t
matchpathcon /var/log/openvpn
/var/log/openvpn system_u:object_r:openvpn_var_log_t:s0
A longer process that requires slightly more management is to allow openvpn_t to write to openvpn_var_log_t which is the context that /var/log/openvpn gets e.g.
echo "host kernel: type=1400 audit(1384344598.334:39761): avc: denied { read write } for pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn
which will generate a .pp file that you can install
semodule -i localOpenVpn.pp
Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.
For Jiri Xichtkniha
If you look at the generated .te file amongst other things it says
#============= openvpn_t ==============
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t,
tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
cluster_var_run_t, root_t, cluster_conf_t
Note that openvpn_var_log_t isn't listed.
Solution 2
I don't use OpenVPN but you have different path to log than prepared OpenVPN policy uses. This would make it work.
# semanage fcontext -a -t openvpn_var_log_t '/var/log/openvpn(/.*)?'
# semanage fcontext -l | grep openvpn_var_log_t
/var/log/openvpn(/.*)? all files system_u:object_r:openvpn_var_log_t:s0
/var/log/openvpn.* all files system_u:object_r:openvpn_var_log_t:s0
The original policy is last line. As you can see it would just accept 'openvpn.*' but this does not recurse to subdir.
Related videos on Youtube
01 : 51
05 : 00
06 : 22
02 : 25
02 : 28
amit singh
Updated on September 18, 2022Comments
-
amit singh over 1 year
I am using derivative node to calculate bandwidth utilization of network devices, below is the script.
I am using where clause because i wanted alert for specific interface for specific Ip.
// database var database = 'router' // measurement from where data is coming var measurement = 'cisco_router' // RP from where data is coming var RP = 'autogen' // which influx cluster to use var clus = 'network' // durations var period = 7m var every = 10s // alerts var crit = 320 var alertName = 'cisco_router_bandwidth_alert' var triggerType = 'threshold' batch |query(''' SELECT (mean("bandwidth_in") * 8) as "value" FROM "router"."autogen"."cisco_router" where host = '10.1.11.1' and ( interface_name = 'GigabitEthernet0/0/0' or interface_name = 'GigabitEthernet0/0/1') ''') .cluster('network') .period(7m) .every(6m) .groupBy(*) |derivative('value') .unit(1s) .nonNegative() .as('value') |alert() .crit(lambda: "value" > crit) .stateChangesOnly() .message(' {{.Level}} for {{ index .Tags "device_name" }} on Port {{ index .Tags "name" }} {{ .Time.Local.Format "2006.01.02 - 15:04:05" }} ') .details(''' <pre> ------------------------------------------------------------------ CLIENT NAME : XXXXXXXX ENVIRONMENT : Prod DEVICE TYPE : Router CATEGORY : {{ index .Tags "type" }} IP ADDRESS : {{ index .Tags "host" }} DATE : {{ .Time.Local.Format "2006.01.02 - 15:04:05" }} INTERFACE NAME : {{ index .Tags "name" }} VALUE : {{ index .Fields "value" }} SEVERITY : {{.Level}} ------------------------------------------------------------------ </pre> ''') .log('/tmp/chronograf/cisco_router_interface_alert.log') .levelTag('level') .idTag('id') .messageField('message') .email() .to('XXXXXXX') |influxDBOut() .database('chronograf') .retentionPolicy(RP) .measurement('alerts') .tag('alertName', alertName)But it is not showing anything when i do kapacitor watch and not showing any errors in logs.
-
jirib over 10 yearsWhy so complicated? Yes the issue is that OpenVPN does not log to its subdir by default. He should check ';log' in sample configs. -
user9517 over 10 yearsit's not complicated.
-
jirib over 10 years"Don't forget to store... somewhere safe." semanage is easy trick.
-
user9517 over 10 yearsIt looks like your commands are just setting the context on /var/log/openvpn to that which is the policy default. look at
matchpathcon /var/log/openvpn. Theopenvpn_tdoesn't have permission to write toopenvpn_var_log_twhich is what the OPs error message is saying? -
Eero Aaltonen over 10 yearsI just tried the above commands, but I get the same
avc: deniedmessage as before. -
jirib over 10 yearsman openvpn_selinux
-
jirib over 10 yearsTried 'this'? This is good description how to reproduce.
-
user9517 over 10 years@JiriXichtkniha: My reading of the OPs error message is the openvpn process running as openvpn_t cannot write to /var/log/openvpn/openvpn-status.log because the target directory context is openvpn_var_log_t which openvpn_t doesn't have permission to write to. SO you have to allow openvpn_t to access to openvpn_var_log_t surely ?
-
Eero Aaltonen over 10 yearsI tried the quick fix and changed the location of the log file to /var/log/openvpn-status.log. That fixes the problem, at least for the immeadiate concern.
-
Michael Hampton over 9 yearsLooks like a bug in the SELinux policy to me. -
amit singh about 5 yearsHi, could you make the changes in above script as i am unable to understand what you meant by moving derivative to query
