Hi all,
Thanks for your advice in advance.
I am using CentOS 7.3.166 configured with MLS security policy set to enforced. I have already confirmed that the OpenVPN server works in permissive mode for both targeted and MLS policies and works in enforced mode for targeted.
When set to the MLS security policy in enforced mode, I get the following debug output:
Thu May 4 13:36:14 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Thu May 4 13:36:14 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu May 4 13:36:14 2017 Diffie-Hellman initialized with 2048 bit key
Thu May 4 13:36:14 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Thu May 4 13:36:14 2017 ECDH curve secp384r1 added
Thu May 4 13:36:14 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 13:36:14 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 13:36:14 2017 ROUTE: default_gateway=UNDEF
Thu May 4 13:36:14 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Thu May 4 13:36:14 2017 Exiting due to fatal error
If I have previously run the system in permissive mode, /dev/net/tun exists and OpenVPN can't access it. If the system is reboot in enforced mode, net/tun never gets created.
Does anyone have any idea why this might be happening?
Thanks,
John
OpenVPN fails to create TUN device when configured for MLS on CentOS
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Run in permissive mode and then look at your audit log (/var/log/auditd/audit.log) and see what avcs you are getting. Use our wiki selinux page to generate a policy file to allow whatever was being denied. http://wiki.centos.org/HowTos/SELinux
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Thanks! That has helped me move further along. Unfortunately audit2allow does not always work,.. I keep getting "libsepol.sepol_string_to_security_class: unrecognized class file":
----------------------------------------------
sealert output (shortened):
SELinux is preventing /usr/bin/kmod from read access on the file /usr/lib/modules/3.10.0-514.16.1.el7.x86_64/modules.softdep.
....
***** Plugin catchall (1.44 confidence) suggests **************************
If you believe that kmod should be allowed getattr access on the modules.softdep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe
# semodule -i my-modprobe.pp
----------------------------------------------
Running audit2allow to generate policy:
[root@localhost ~]# ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-modprobe.pp
----------------------------------------------
Looks like a known bug?
Running sealert -a /var/log/audit/audit.log > audit.txt then running audit2allow on the entries, I was able to reduce the number of alerts from 35 to 5. But, whenever I do a reboot, the same AVC errors I just created policies repeat and openvpn still does not work in enforced mode.
Thanks,
John
----------------------------------------------
sealert output (shortened):
SELinux is preventing /usr/bin/kmod from read access on the file /usr/lib/modules/3.10.0-514.16.1.el7.x86_64/modules.softdep.
....
***** Plugin catchall (1.44 confidence) suggests **************************
If you believe that kmod should be allowed getattr access on the modules.softdep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe
# semodule -i my-modprobe.pp
----------------------------------------------
Running audit2allow to generate policy:
[root@localhost ~]# ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-modprobe.pp
----------------------------------------------
Looks like a known bug?
Running sealert -a /var/log/audit/audit.log > audit.txt then running audit2allow on the entries, I was able to reduce the number of alerts from 35 to 5. But, whenever I do a reboot, the same AVC errors I just created policies repeat and openvpn still does not work in enforced mode.
Thanks,
John
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
You know you have to use semodule -i to install my-modprobe.pp after that?ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Yes,.. I did that part as well (Just left it out of the output). Same errors remain.
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Actually,.. all the avc errors when running openvpn seem to have disappeared albeit it still does not work:
When in permissive mode:
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=SERVICE_START msg=audit(1493994055.996:177): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1493994056.102:178): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1493994066.098:179): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[root@localhost ~]# tail -f /var/log/messages
May 5 10:20:55 localhost systemd: Created slice system-openvpn.slice.
May 5 10:20:55 localhost systemd: Starting system-openvpn.slice.
May 5 10:20:55 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 10:20:56 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 10:20:56 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
May 5 10:20:56 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0242] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/2)
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0458] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0476] keyfile: add connection in-memory (fbb893b4-0adc-45f0-959b-c5335238929b,"tun0")
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0483] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0488] device (tun0): Activation: starting connection 'tun0' (fbb893b4-0adc-45f0-959b-c5335238929b)
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0490] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0493] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0494] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0497] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0498] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0499] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0564] device (tun0): Activation: successful, device activated.
May 5 10:20:56 localhost dbus[613]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 10:20:56 localhost systemd: Starting Network Manager Script Dispatcher Service...
May 5 10:20:56 localhost dbus-daemon: dbus[613]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 10:20:56 localhost dbus[613]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 10:20:56 localhost dbus-daemon: dbus[613]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 10:20:56 localhost systemd: Started Network Manager Script Dispatcher Service.
May 5 10:20:56 localhost nm-dispatcher: req:1 'up' [tun0]: new request (3 scripts)
May 5 10:20:56 localhost nm-dispatcher: req:1 'up' [tun0]: start running ordered scripts...
[root@localhost ~]# cat /etc/openvpn/openvpn.log
Fri May 5 10:20:55 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Fri May 5 10:20:55 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Fri May 5 10:20:56 2017 Diffie-Hellman initialized with 2048 bit key
Fri May 5 10:20:56 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Fri May 5 10:20:56 2017 ECDH curve secp384r1 added
Fri May 5 10:20:56 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:20:56 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:20:56 2017 ROUTE: default_gateway=UNDEF
Fri May 5 10:20:56 2017 TUN/TAP device tun0 opened
Fri May 5 10:20:56 2017 TUN/TAP TX queue length set to 100
Fri May 5 10:20:56 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri May 5 10:20:56 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri May 5 10:20:56 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri May 5 10:20:56 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri May 5 10:20:56 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri May 5 10:20:56 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 5 10:20:56 2017 Listening for incoming TCP connection on [AF_INET][undef]:1194
Fri May 5 10:20:56 2017 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Fri May 5 10:20:56 2017 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri May 5 10:20:56 2017 GID set to nobody
Fri May 5 10:20:56 2017 UID set to nobody
Fri May 5 10:20:56 2017 MULTI: multi_init called, r=256 v=256
Fri May 5 10:20:56 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri May 5 10:20:56 2017 ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
Fri May 5 10:20:56 2017 succeeded -> ifconfig_pool_set()
Fri May 5 10:20:56 2017 IFCONFIG POOL LIST
Fri May 5 10:20:56 2017 client1,10.8.0.4
Fri May 5 10:20:56 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri May 5 10:20:56 2017 Initialization Sequence Completed
When in enforced mode:
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=SERVICE_START msg=audit(1493994492.959:325): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1493994492.965:326): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[root@localhost ~]# tail -f /var/log/messages
May 5 10:29:15 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 10:29:15 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 10:29:15 localhost systemd: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
May 5 10:29:15 localhost systemd: Unit openvpn@server.service entered failed state.
May 5 10:29:15 localhost systemd: openvpn@server.service failed.
[root@localhost ~]# cat /etc/openvpn/openvpn.log
Fri May 5 10:29:15 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Fri May 5 10:29:15 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Fri May 5 10:29:15 2017 Diffie-Hellman initialized with 2048 bit key
Fri May 5 10:29:15 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Fri May 5 10:29:15 2017 ECDH curve secp384r1 added
Fri May 5 10:29:15 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:29:15 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:29:15 2017 ROUTE: default_gateway=UNDEF
Fri May 5 10:29:15 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Fri May 5 10:29:15 2017 Exiting due to fatal error
Hmmmm,...
When in permissive mode:
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=SERVICE_START msg=audit(1493994055.996:177): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1493994056.102:178): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1493994066.098:179): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[root@localhost ~]# tail -f /var/log/messages
May 5 10:20:55 localhost systemd: Created slice system-openvpn.slice.
May 5 10:20:55 localhost systemd: Starting system-openvpn.slice.
May 5 10:20:55 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 10:20:56 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 10:20:56 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
May 5 10:20:56 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0242] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/2)
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0458] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0476] keyfile: add connection in-memory (fbb893b4-0adc-45f0-959b-c5335238929b,"tun0")
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0483] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0488] device (tun0): Activation: starting connection 'tun0' (fbb893b4-0adc-45f0-959b-c5335238929b)
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0490] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0493] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0494] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0497] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0498] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0499] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
May 5 10:20:56 localhost NetworkManager[668]: <info> [1493994056.0564] device (tun0): Activation: successful, device activated.
May 5 10:20:56 localhost dbus[613]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 10:20:56 localhost systemd: Starting Network Manager Script Dispatcher Service...
May 5 10:20:56 localhost dbus-daemon: dbus[613]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 10:20:56 localhost dbus[613]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 10:20:56 localhost dbus-daemon: dbus[613]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 10:20:56 localhost systemd: Started Network Manager Script Dispatcher Service.
May 5 10:20:56 localhost nm-dispatcher: req:1 'up' [tun0]: new request (3 scripts)
May 5 10:20:56 localhost nm-dispatcher: req:1 'up' [tun0]: start running ordered scripts...
[root@localhost ~]# cat /etc/openvpn/openvpn.log
Fri May 5 10:20:55 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Fri May 5 10:20:55 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Fri May 5 10:20:56 2017 Diffie-Hellman initialized with 2048 bit key
Fri May 5 10:20:56 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Fri May 5 10:20:56 2017 ECDH curve secp384r1 added
Fri May 5 10:20:56 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:20:56 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:20:56 2017 ROUTE: default_gateway=UNDEF
Fri May 5 10:20:56 2017 TUN/TAP device tun0 opened
Fri May 5 10:20:56 2017 TUN/TAP TX queue length set to 100
Fri May 5 10:20:56 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri May 5 10:20:56 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri May 5 10:20:56 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri May 5 10:20:56 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri May 5 10:20:56 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri May 5 10:20:56 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 5 10:20:56 2017 Listening for incoming TCP connection on [AF_INET][undef]:1194
Fri May 5 10:20:56 2017 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Fri May 5 10:20:56 2017 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri May 5 10:20:56 2017 GID set to nobody
Fri May 5 10:20:56 2017 UID set to nobody
Fri May 5 10:20:56 2017 MULTI: multi_init called, r=256 v=256
Fri May 5 10:20:56 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri May 5 10:20:56 2017 ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
Fri May 5 10:20:56 2017 succeeded -> ifconfig_pool_set()
Fri May 5 10:20:56 2017 IFCONFIG POOL LIST
Fri May 5 10:20:56 2017 client1,10.8.0.4
Fri May 5 10:20:56 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri May 5 10:20:56 2017 Initialization Sequence Completed
When in enforced mode:
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=SERVICE_START msg=audit(1493994492.959:325): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1493994492.965:326): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[root@localhost ~]# tail -f /var/log/messages
May 5 10:29:15 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 10:29:15 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 10:29:15 localhost systemd: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
May 5 10:29:15 localhost systemd: Unit openvpn@server.service entered failed state.
May 5 10:29:15 localhost systemd: openvpn@server.service failed.
[root@localhost ~]# cat /etc/openvpn/openvpn.log
Fri May 5 10:29:15 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Fri May 5 10:29:15 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Fri May 5 10:29:15 2017 Diffie-Hellman initialized with 2048 bit key
Fri May 5 10:29:15 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Fri May 5 10:29:15 2017 ECDH curve secp384r1 added
Fri May 5 10:29:15 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:29:15 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 5 10:29:15 2017 ROUTE: default_gateway=UNDEF
Fri May 5 10:29:15 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Fri May 5 10:29:15 2017 Exiting due to fatal error
Hmmmm,...
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Try disabling the dontaudit rules using semodule -DB then run in permissive again and see if anything new shows up. To revert, use semodule -B
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Yup,.. that brings up AVC errors again:
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1494010944.336:306): avc: denied { rlimitinh } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.336:306): avc: denied { siginh } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.336:306): avc: denied { noatsecure } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.336:306): arch=c000003e syscall=59 success=yes exit=0 a0=7f68300a99a8 a1=7ffd1f00ec60 a2=7ffd1f00f2d8 a3=7ffd1f00ee30 items=0 ppid=2811 pid=2812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.378:307): avc: denied { rlimitinh } for pid=2817 comm="openvpn" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:openvpn_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.378:307): avc: denied { noatsecure } for pid=2817 comm="openvpn" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:openvpn_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.378:307): arch=c000003e syscall=59 success=yes exit=0 a0=7f441d108da0 a1=7f441d1191b0 a2=7f441d1190f0 a3=2 items=0 ppid=1 pid=2817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_START msg=audit(1494010944.486:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010944.662:309): avc: denied { rlimitinh } for pid=2833 comm="nm-dispatcher" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.662:309): avc: denied { noatsecure } for pid=2833 comm="nm-dispatcher" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.662:309): arch=c000003e syscall=59 success=yes exit=0 a0=7f441d05c320 a1=7f441d0a8260 a2=7f441d0ef340 a3=ffffffe0 items=0 ppid=1 pid=2833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dispatcher" exe="/usr/libexec/nm-dispatcher" subj=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_START msg=audit(1494010944.742:310): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010944.744:311): avc: denied { rlimitinh } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.744:311): avc: denied { siginh } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.744:311): avc: denied { noatsecure } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.744:311): arch=c000003e syscall=59 success=yes exit=0 a0=7f6dae448680 a1=7ffc7644c310 a2=7f6dae4489f0 a3=7ffc7644bda0 items=0 ppid=2833 pid=2836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00-netreport" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.904:312): avc: denied { rlimitinh } for pid=2847 comm="chrony-helper" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.904:312): avc: denied { noatsecure } for pid=2847 comm="chrony-helper" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.904:312): arch=c000003e syscall=59 success=yes exit=0 a0=a54ce0 a1=a55f90 a2=a529a0 a3=7ffc5ec3caa0 items=0 ppid=2841 pid=2847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chrony-helper" exe="/usr/bin/bash" subj=system_u:system_r:chronyd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.978:313): avc: denied { rlimitinh } for pid=2849 comm="ip" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.978:313): avc: denied { noatsecure } for pid=2849 comm="ip" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.978:313): arch=c000003e syscall=59 success=yes exit=0 a0=1157fe0 a1=1156610 a2=1158d70 a3=7ffcd3e68530 items=0 ppid=2848 pid=2849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010954.632:314): avc: denied { getattr } for pid=2863 comm="rpm" path="/etc/selinux/targeted/active" dev="dm-0" ino=44613 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1494010954.632:314): arch=c000003e syscall=4 success=yes exit=0 a0=13ea553 a1=7fff07adf4d0 a2=7fff07adf4d0 a3=13fa500 items=0 ppid=2819 pid=2863 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_STOP msg=audit(1494010955.102:315): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010961.335:316): avc: denied { rlimitinh } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010961.335:316): avc: denied { siginh } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010961.335:316): avc: denied { noatsecure } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010961.335:316): arch=c000003e syscall=59 success=yes exit=0 a0=7f5d774339a8 a1=7ffedba6a440 a2=7ffedba6aab8 a3=7ffedba6a610 items=0 ppid=2897 pid=2898 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 key=(null)
[root@localhost ~]# tail -f /var/log/messages
May 5 15:02:24 localhost systemd: Created slice system-openvpn.slice.
May 5 15:02:24 localhost systemd: Starting system-openvpn.slice.
May 5 15:02:24 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 15:02:24 localhost dbus[623]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 5 15:02:24 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 15:02:24 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
May 5 15:02:24 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.5822] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/2)
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6194] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6209] keyfile: add connection in-memory (71409f2d-5463-45ba-82ff-03439cddf393,"tun0")
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6214] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6220] device (tun0): Activation: starting connection 'tun0' (71409f2d-5463-45ba-82ff-03439cddf393)
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6223] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6224] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6226] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6228] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6230] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6231] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6381] device (tun0): Activation: successful, device activated.
May 5 15:02:24 localhost dbus[623]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 15:02:24 localhost systemd: Starting Network Manager Script Dispatcher Service...
May 5 15:02:24 localhost dbus[623]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 15:02:24 localhost nm-dispatcher: req:1 'up' [tun0]: new request (3 scripts)
May 5 15:02:24 localhost nm-dispatcher: req:1 'up' [tun0]: start running ordered scripts...
May 5 15:02:24 localhost systemd: Started Network Manager Script Dispatcher Service.
May 5 15:02:25 localhost dbus[623]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 5 15:02:25 localhost dbus-daemon: dbus[623]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 5 15:02:33 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:33 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:33 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:33 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:34 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 3d1e9230-d6a4-4530-9fca-d248eaeae8b4
May 5 15:02:34 localhost python: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that openvpn should be allowed rlimitinh access on processes labeled openvpn_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn#012# semodule -i my-openvpn.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 3d1e9230-d6a4-4530-9fca-d248eaeae8b4
May 5 15:02:34 localhost python: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that openvpn should be allowed rlimitinh access on processes labeled openvpn_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn#012# semodule -i my-openvpn.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l e76979d2-9ee5-49de-b366-8ba43e210cf5
May 5 15:02:35 localhost python: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that NetworkManager should be allowed rlimitinh access on processes labeled NetworkManager_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager#012# semodule -i my-NetworkManager.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l e76979d2-9ee5-49de-b366-8ba43e210cf5
May 5 15:02:35 localhost python: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that NetworkManager should be allowed rlimitinh access on processes labeled NetworkManager_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager#012# semodule -i my-NetworkManager.pp#012
May 5 15:02:35 localhost sedispatch: AVC Message for setroubleshoot, dropping message
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 0166b20f-d128-4890-a66f-f4d9bdc64231
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled chronyd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrony-helper' --raw | audit2allow -M my-chronyhelper#012# semodule -i my-chronyhelper.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 0166b20f-d128-4890-a66f-f4d9bdc64231
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled chronyd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrony-helper' --raw | audit2allow -M my-chronyhelper#012# semodule -i my-chronyhelper.pp#012
May 5 15:02:36 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l fdf8477d-2382-4abf-8eb3-d3002ab9a0ad
May 5 15:02:36 localhost python: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ip should be allowed rlimitinh access on processes labeled ifconfig_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ip' --raw | audit2allow -M my-ip#012# semodule -i my-ip.pp#012
May 5 15:02:36 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l fdf8477d-2382-4abf-8eb3-d3002ab9a0ad
May 5 15:02:36 localhost python: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ip should be allowed rlimitinh access on processes labeled ifconfig_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ip' --raw | audit2allow -M my-ip#012# semodule -i my-ip.pp#012
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1494010944.336:306): avc: denied { rlimitinh } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.336:306): avc: denied { siginh } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.336:306): avc: denied { noatsecure } for pid=2812 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.336:306): arch=c000003e syscall=59 success=yes exit=0 a0=7f68300a99a8 a1=7ffd1f00ec60 a2=7ffd1f00f2d8 a3=7ffd1f00ee30 items=0 ppid=2811 pid=2812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.378:307): avc: denied { rlimitinh } for pid=2817 comm="openvpn" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:openvpn_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.378:307): avc: denied { noatsecure } for pid=2817 comm="openvpn" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:openvpn_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.378:307): arch=c000003e syscall=59 success=yes exit=0 a0=7f441d108da0 a1=7f441d1191b0 a2=7f441d1190f0 a3=2 items=0 ppid=1 pid=2817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_START msg=audit(1494010944.486:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=openvpn@server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010944.662:309): avc: denied { rlimitinh } for pid=2833 comm="nm-dispatcher" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.662:309): avc: denied { noatsecure } for pid=2833 comm="nm-dispatcher" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.662:309): arch=c000003e syscall=59 success=yes exit=0 a0=7f441d05c320 a1=7f441d0a8260 a2=7f441d0ef340 a3=ffffffe0 items=0 ppid=1 pid=2833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dispatcher" exe="/usr/libexec/nm-dispatcher" subj=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_START msg=audit(1494010944.742:310): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010944.744:311): avc: denied { rlimitinh } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.744:311): avc: denied { siginh } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.744:311): avc: denied { noatsecure } for pid=2836 comm="00-netreport" scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.744:311): arch=c000003e syscall=59 success=yes exit=0 a0=7f6dae448680 a1=7ffc7644c310 a2=7f6dae4489f0 a3=7ffc7644bda0 items=0 ppid=2833 pid=2836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00-netreport" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.904:312): avc: denied { rlimitinh } for pid=2847 comm="chrony-helper" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.904:312): avc: denied { noatsecure } for pid=2847 comm="chrony-helper" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.904:312): arch=c000003e syscall=59 success=yes exit=0 a0=a54ce0 a1=a55f90 a2=a529a0 a3=7ffc5ec3caa0 items=0 ppid=2841 pid=2847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chrony-helper" exe="/usr/bin/bash" subj=system_u:system_r:chronyd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010944.978:313): avc: denied { rlimitinh } for pid=2849 comm="ip" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010944.978:313): avc: denied { noatsecure } for pid=2849 comm="ip" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010944.978:313): arch=c000003e syscall=59 success=yes exit=0 a0=1157fe0 a1=1156610 a2=1158d70 a3=7ffcd3e68530 items=0 ppid=2848 pid=2849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1494010954.632:314): avc: denied { getattr } for pid=2863 comm="rpm" path="/etc/selinux/targeted/active" dev="dm-0" ino=44613 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1494010954.632:314): arch=c000003e syscall=4 success=yes exit=0 a0=13ea553 a1=7fff07adf4d0 a2=7fff07adf4d0 a3=13fa500 items=0 ppid=2819 pid=2863 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 key=(null)
type=SERVICE_STOP msg=audit(1494010955.102:315): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1494010961.335:316): avc: denied { rlimitinh } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010961.335:316): avc: denied { siginh } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1494010961.335:316): avc: denied { noatsecure } for pid=2898 comm="systemd-tty-ask" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1494010961.335:316): arch=c000003e syscall=59 success=yes exit=0 a0=7f5d774339a8 a1=7ffedba6a440 a2=7ffedba6aab8 a3=7ffedba6a610 items=0 ppid=2897 pid=2898 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=root:sysadm_r:systemd_passwd_agent_t:s0-s15:c0.c1023 key=(null)
[root@localhost ~]# tail -f /var/log/messages
May 5 15:02:24 localhost systemd: Created slice system-openvpn.slice.
May 5 15:02:24 localhost systemd: Starting system-openvpn.slice.
May 5 15:02:24 localhost systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
May 5 15:02:24 localhost dbus[623]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
May 5 15:02:24 localhost systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
May 5 15:02:24 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
May 5 15:02:24 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.5822] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/2)
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6194] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6209] keyfile: add connection in-memory (71409f2d-5463-45ba-82ff-03439cddf393,"tun0")
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6214] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6220] device (tun0): Activation: starting connection 'tun0' (71409f2d-5463-45ba-82ff-03439cddf393)
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6223] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6224] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6226] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6228] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6230] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6231] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
May 5 15:02:24 localhost NetworkManager[672]: <info> [1494010944.6381] device (tun0): Activation: successful, device activated.
May 5 15:02:24 localhost dbus[623]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 5 15:02:24 localhost systemd: Starting Network Manager Script Dispatcher Service...
May 5 15:02:24 localhost dbus[623]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 15:02:24 localhost dbus-daemon: dbus[623]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 5 15:02:24 localhost nm-dispatcher: req:1 'up' [tun0]: new request (3 scripts)
May 5 15:02:24 localhost nm-dispatcher: req:1 'up' [tun0]: start running ordered scripts...
May 5 15:02:24 localhost systemd: Started Network Manager Script Dispatcher Service.
May 5 15:02:25 localhost dbus[623]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 5 15:02:25 localhost dbus-daemon: dbus[623]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
May 5 15:02:33 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:33 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:33 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:33 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 760f6a54-8da7-4ffd-8979-f29eb896bd55
May 5 15:02:34 localhost python: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-tty-ask-password-agent should be allowed rlimitinh access on processes labeled systemd_passwd_agent_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask#012# semodule -i my-systemdttyask.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 3d1e9230-d6a4-4530-9fca-d248eaeae8b4
May 5 15:02:34 localhost python: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that openvpn should be allowed rlimitinh access on processes labeled openvpn_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn#012# semodule -i my-openvpn.pp#012
May 5 15:02:34 localhost setroubleshoot: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 3d1e9230-d6a4-4530-9fca-d248eaeae8b4
May 5 15:02:34 localhost python: SELinux is preventing /usr/sbin/openvpn from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that openvpn should be allowed rlimitinh access on processes labeled openvpn_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn#012# semodule -i my-openvpn.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l e76979d2-9ee5-49de-b366-8ba43e210cf5
May 5 15:02:35 localhost python: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that NetworkManager should be allowed rlimitinh access on processes labeled NetworkManager_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager#012# semodule -i my-NetworkManager.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l e76979d2-9ee5-49de-b366-8ba43e210cf5
May 5 15:02:35 localhost python: SELinux is preventing /usr/sbin/NetworkManager from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that NetworkManager should be allowed rlimitinh access on processes labeled NetworkManager_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager#012# semodule -i my-NetworkManager.pp#012
May 5 15:02:35 localhost sedispatch: AVC Message for setroubleshoot, dropping message
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l f6bc5de7-856c-4e48-9b81-4155bfbafe1b
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled initrc_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '00-netreport' --raw | audit2allow -M my-00netreport#012# semodule -i my-00netreport.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 0166b20f-d128-4890-a66f-f4d9bdc64231
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled chronyd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrony-helper' --raw | audit2allow -M my-chronyhelper#012# semodule -i my-chronyhelper.pp#012
May 5 15:02:35 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l 0166b20f-d128-4890-a66f-f4d9bdc64231
May 5 15:02:35 localhost python: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed rlimitinh access on processes labeled chronyd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrony-helper' --raw | audit2allow -M my-chronyhelper#012# semodule -i my-chronyhelper.pp#012
May 5 15:02:36 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l fdf8477d-2382-4abf-8eb3-d3002ab9a0ad
May 5 15:02:36 localhost python: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ip should be allowed rlimitinh access on processes labeled ifconfig_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ip' --raw | audit2allow -M my-ip#012# semodule -i my-ip.pp#012
May 5 15:02:36 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process. For complete SELinux messages. run sealert -l fdf8477d-2382-4abf-8eb3-d3002ab9a0ad
May 5 15:02:36 localhost python: SELinux is preventing /usr/sbin/ip from using the rlimitinh access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ip should be allowed rlimitinh access on processes labeled ifconfig_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ip' --raw | audit2allow -M my-ip#012# semodule -i my-ip.pp#012
Re: OpenVPN fails to create TUN device when configured for MLS on CentOS
Apparently there is a bug in this CentOS version of audit2allow. In order to get rid of errors such as:
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class fifo_file
libsepol.sepol_string_to_security_class: unrecognized class unix_stream_socket
I had to modify /usr/lib64/python2.7/site-packages/sepolgen/audit.py. Adding the line in bold below:
def __parse_line(self, line):
rec = line.split()
rec = [x.strip("\x1c\x1d\x1e\x85") for x in line.split()]
for i in rec:
found = False
if i == "avc:" o
Before adding that line:
[root@localhost ~]# ausearch -c 'dmesg' --raw | audit2allow -M my-dmesg
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class fifo_file
libsepol.sepol_string_to_security_class: unrecognized class unix_stream_socket
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class file
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-dmesg.pp
After adding the line to the python code:
[root@localhost ~]# ausearch -c 'dmesg' --raw | audit2allow -M my-dmesg
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-dmesg.pp
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
Code change reference: https://marc.info/?l=selinux&m=148768820128446&w=2
Not sure how many of my policies had this issue,.. so will start all over again deleting the old ones.
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class fifo_file
libsepol.sepol_string_to_security_class: unrecognized class unix_stream_socket
I had to modify /usr/lib64/python2.7/site-packages/sepolgen/audit.py. Adding the line in bold below:
def __parse_line(self, line):
rec = line.split()
rec = [x.strip("\x1c\x1d\x1e\x85") for x in line.split()]
for i in rec:
found = False
if i == "avc:" o
Before adding that line:
[root@localhost ~]# ausearch -c 'dmesg' --raw | audit2allow -M my-dmesg
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class fifo_file
libsepol.sepol_string_to_security_class: unrecognized class unix_stream_socket
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class process
libsepol.sepol_string_to_security_class: unrecognized class file
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-dmesg.pp
After adding the line to the python code:
[root@localhost ~]# ausearch -c 'dmesg' --raw | audit2allow -M my-dmesg
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-dmesg.pp
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
Code change reference: https://marc.info/?l=selinux&m=148768820128446&w=2
Not sure how many of my policies had this issue,.. so will start all over again deleting the old ones.