[DSE-Dev] Bug#962007: selinux-policy-default: No SELinux rule for OpenVPN management socket file

Maksim K. debian_bug at k-max.name
Mon Jun 1 23:06:36 BST 2020 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal

Dear Maintainer,

OpenVPN allows one to use socket files for the management interface instead of TCP ports. This is important in servers where non-admin users are also allowed to SSH in, because limits their access to the management interface.

Example directive:
management /run/openvpn/server.sock unix
management-client-user root
management-client-group root


However there is no SELinux rule in the current and future (2:2.20200502-1 has checked) versions of packages, that allows creation of such socket file.
So, it was denied during start\stop of the service and logged as messages:
----------------
type=AVC msg=audit(1591045213.430:2109): avc:  denied  { unlink } for  pid=8880 comm="openvpn" name="server.sock" dev="tmpfs" ino=13559 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1591045213.434:2110): avc:  denied  { create } for  pid=8880 comm="openvpn" name="server.sock" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_run_t:s0 tclass=sock_file permissive=1
----------------

So I had to create one by my own:
+++
$ cat ovpn_sock.te

module ovpn_sock 1.0;

require {
        type openvpn_var_run_t;
        type openvpn_t;
        class sock_file { create unlink };
}

#============= openvpn_t ==============
allow openvpn_t openvpn_var_run_t:sock_file { create unlink };
+++

I wonder if it would be possible to integrate this into the package shipped in the Debian.
Thank you.


-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list