OpenVPN fails to create TUN device when configured for MLS on CentOS

[john_u]

Hi all,

Thanks for your advice in advance.

I am using CentOS 7.3.166 configured with MLS security policy set to enforced. I have already confirmed that the OpenVPN server works in permissive mode for both targeted and MLS policies and works in enforced mode for targeted.

When set to the MLS security policy in enforced mode, I get the following debug output:
Thu May 4 13:36:14 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Thu May 4 13:36:14 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu May 4 13:36:14 2017 Diffie-Hellman initialized with 2048 bit key
Thu May 4 13:36:14 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Thu May 4 13:36:14 2017 ECDH curve secp384r1 added
Thu May 4 13:36:14 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 13:36:14 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 13:36:14 2017 ROUTE: default_gateway=UNDEF
Thu May 4 13:36:14 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Thu May 4 13:36:14 2017 Exiting due to fatal error

If I have previously run the system in permissive mode, /dev/net/tun exists and OpenVPN can't access it. If the system is reboot in enforced mode, net/tun never gets created.

Does anyone have any idea why this might be happening?

Thanks,

John

[TiTex]

i think nobody here can help you , better start https://www.nsa.gov/what-we-do/research ... mentation/
and/or redhat/centos support.

[john_u]

Thanks! I'm trying CentOS forum as well. The nsa site hasn't been updated since 2008. Still hoping someone might know something.

[TiTex]

Thanks! I'm trying CentOS forum as well. The nsa site hasn't been updated since 2008. Still hoping someone might know something.

it hasn't been updated because it's still relevant , it's just that selinux is used mostly on RHEL based distros and the documentation is not very user friendly when it comes to creating custom policy modules and even less so when doing MLS , where you will need to set up selinux users , selinux roles , selinux access categories which i don't think you can do in a few days.

[john_u]

Rgr,.. I've already spent the last 1.5 weeks doing a deep dive in running tutorials on the selinux MLS users and roles. The issue seems to be related to creating policies allowing the process to run correctly. Using sealert -a /var/log/messages to identify them.... etc. I've been doing that and have limited the number of alerts but haven't found fixes for the last couple.

[TiTex]

this is now totally out of topic , i wonder why would you need such a security restriction granularity that selinux MLS provides
or it's just for fun ?