I am using CentOS 6 with the EPEL repo, if I try to run OpenVPN as a service it reports a failiure.
Whereas if I type (as root)
[code]openvpn --config /etc/openvpn/openvpn.conf[/code]
It works, or the service command will work but I have to disable SELINUX.
Thanks in advance for the help
Selinux breaking OpenVPN (from EPEL)
Re: Selinux breaking OpenVPN (from EPEL)
I was able to make it work only if I (as root) type service openvpn start. While also slightly changing the /etc/init.d/openvpn script. It works but when I restart I have to goto the machine and run that one command again.
I am using OpenVPN as a tap bridge, the bridges and tap devices are created by "network-scripts" ifcfg-tap1, ifcfg-bridge1, ifcfg-eth1 and so forth
:-?
I am using OpenVPN as a tap bridge, the bridges and tap devices are created by "network-scripts" ifcfg-tap1, ifcfg-bridge1, ifcfg-eth1 and so forth
:-?
Selinux breaking OpenVPN (from EPEL)
[quote]
I was able to make it work only if I (as root) type service openvpn start
[/quote]
What does `chkconfig openvpn --list` say?
I was able to make it work only if I (as root) type service openvpn start
[/quote]
What does `chkconfig openvpn --list` say?
Re: Selinux breaking OpenVPN (from EPEL)
[code][root@host ~]# chkconfig openvpn --list
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off[/code]
The service fails on startup, but works if I manually run it(somewhat unpredictable), but it always works if I do
[code]openvpn --config /etc/openvpn/openvpn.conf[/code]
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off[/code]
The service fails on startup, but works if I manually run it(somewhat unpredictable), but it always works if I do
[code]openvpn --config /etc/openvpn/openvpn.conf[/code]
Re: Selinux breaking OpenVPN (from EPEL)
Ah, it's the opposite way round to how I thought it was. When you run the command manually as root then it runs with a different selinux context than the one it would run with if it's started as a service. It should be logging info to the system log and to the audit daemon to show what it is trying to access and the context it runs with vs the context of whatever it is that it's trying to access. I suspect that you have some files that need labeling correctly. Sticking SELinux in permissive mode either by editing /etc/sysconfig/selinux or by running `setenforce 0` will let it start up as a service and will log all disallowed accesses but allow them anyway.
Running
[code]
aureport
[/code]
will show you a summary of all AVCs and running
[code]
ausearch -a nnn
[/code]
will show you a more detailed message about any summary line you want more info on (nnn is the number at the end of each summary line in the aureport output). If it's not just mislabeled files causing this then you should be able to use audit2allow to create a new selinux policy module containing rules to allow the necessary access. Audit2allow is part of the policycoreutils-python package.
Running
[code]
aureport
[/code]
will show you a summary of all AVCs and running
[code]
ausearch -a nnn
[/code]
will show you a more detailed message about any summary line you want more info on (nnn is the number at the end of each summary line in the aureport output). If it's not just mislabeled files causing this then you should be able to use audit2allow to create a new selinux policy module containing rules to allow the necessary access. Audit2allow is part of the policycoreutils-python package.
Re: Selinux breaking OpenVPN (from EPEL)
omg... there really isn't enough info here to determine. Like you .conf for ex., So to the next guy reading this thread; there's no real reason to disable selinux.
O... just a guess... I'd look to see if you're using the hosts directive, what port(s), where you're trying to write log files... there are lots of reasons.
O... just a guess... I'd look to see if you're using the hosts directive, what port(s), where you're trying to write log files... there are lots of reasons.