Page 1 of 1
selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 24, 2011 2:57 am
by ybk
# grep -vE '^#|^;|^$' /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/my.name.server.crt
key keys/my.name.server.key # This file should be kept secret
dh keys/dh1024.pem
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
Selinux preventing openvpn-auth-pam.so plugin utilization:
Summary:
SELinux is preventing openvpn (openvpn_t) "read" to ./shadow (shadow_t).
Row Audit Message:
host=xxxxxxx type=AVC msg=audit(1319419213.705:19304): avc: denied { read } for pid=23686 comm="openvpn" name="shadow" dev=/dev/sda1 ino=1777827 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
I tried to generate local policy using audit2allow:
module openvpnReadShadow 1.0;
require {
type openvpn_t;
type shadow_t;
class file read;
}
#============= openvpn_t ==============
allow openvpn_t shadow_t:file read;
however enabling the module fails:
# semodule -i openvpnReadShadow.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow openvpn_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
This is RHEL v5 like system. Disabling selinux is not an option. Please advise.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 24, 2011 5:35 am
by Mimiko
Usually selinux is disabled as it brings a lot of problems, like UAC in windows. If you whant to stick with it, ask on RHEL for support on configuring/fixing selinux to not block OpenVPN.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 24, 2011 6:48 am
by janjust
the openvpn pam plugin talks to pam using its own pam config file (usually /etc/pam.d/openvpn); try adding the pam module
don't know if that will work , but it's worth a shot ...
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 24, 2011 9:32 pm
by ybk
janjust: Thanks for a suggestion. Looks like PAM module makes no difference.
Mimiko: Please stop bashing selinux since its benefits greatly outweigh its problems. Openvpn server is most always is expected to be very secure, it is virtually impossible to be done without selinux.
I'll keep looking at selinux docs to resolve this....
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Wed Oct 26, 2011 12:52 pm
by janjust
I normally disable selinux straightaway as well
I reenabled selinux on my Fedora 14 laptop, set up OpenVPN 2.1.1 with the auth-pam plugin and using this Pam file:
Code: Select all
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
selinux is in restrictive mode and yet openvpn still works - so it
IS possible to get this working, I simply have not been able to test it on a Centos5 box, as on all of those selinux is disabled
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Wed Oct 26, 2011 6:29 pm
by ybk
Fedora 14 is about the same as a system I am using. In your previous message you mentioned /etc/pam.d/openvpn (which is not a part of any package). Should the contents you listed be placed in this file? If the file is needed why /etc/pam.d/openvpn is not included with openvpn rpm package?
Please provide the output of
grep openvpn-auth-pam.so server.conf
on your working box.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Wed Oct 26, 2011 9:27 pm
by janjust
it's an example from my book:
Code: Select all
plugin /etc/openvpn/cookbook/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
in this example I'm re-using the 'login' pam file, which is present as /etc/pam.d/login
The openvpn RPM should not include this by default, as the pam plugin is not part of the RPM, IIRC.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Thu Oct 27, 2011 5:43 pm
by ybk
Janjust:
1. I confirmed that my config file (posted at the beginning of this topic) is correct.
Client connects just fine if selinux is disabled by
setenforce 0
Are you sure that your selinux is enabled and is in enforcing mode?
# getenforce
Enforcing
#
2. OpenVPN PAM plugin is a part of OpenVPN RPM:
# rpm -qf `locate openvpn-auth-pam.so`
openvpn-2.1.4-1.el5
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Fri Oct 28, 2011 10:36 am
by janjust
just tried it on a CentOS 5 box with OpenVPN 2.2.0 installed:
Code: Select all
# getenforce
Enforcing
# rpm -q openvpn
openvpn-2.2.0-3.el5.rf
# grep auth-pam example6-10-server.conf
plugin /etc/openvpn/cookbook/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
# openvpn --config example6-10-server.conf --verb 5
....
WRWRWRWRWRWRWRAUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: janjust
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Fri Oct 28 12:33:03 2011 us=809991 194.171.97.194:47911 PLUGIN_CALL: POST /etc/openvpn/cookbook/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Oct 28 12:33:03 2011 us=810037 194.171.97.194:47911 TLS: Username/Password authentication succeeded for username 'janjust'
perhaps can you try upgrading to 2.2.0?
Edit: Just tried it with the openvpn-auth-pam.so module from the RPM itself
Code: Select all
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
and that also works
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Fri Oct 28, 2011 5:23 pm
by ybk
What is selinux-policy version on your CentOS 5?
Code: Select all
# rpm -q selinux-policy
selinux-policy-2.4.6-316.el5
I am using RedHat supplied openvpn, not the latest one from rpm forge, don't know if your openvpn comes with additional selinux module though.
Code: Select all
# rpm -q openvpn
openvpn-2.1.4-1.el5
Fedora 15 latest still uses 2.1.4:
Code: Select all
# rpm -q openvpn
openvpn-2.1.4-1.fc15.i686
Is there an openvpn module in the CentOS 5 policy?
In Fedora 15 there is a module:
Code: Select all
# semodule -l | grep openvpn
openvpn 1.10.0
but looking at the policy source I can't find additional permissions.
In any event I managed to craft a module to allow openvpn read shadow file (although Dan Walsh says here:
http://danwalsh.livejournal.com/12333.html?view=290349 that unix_passwd should take care of it which does not appear to be true in my case - openvpn_t still wants to read shadow_t).
Code: Select all
# cat openvpnReadShadow.te
module openvpnReadShadow 1.0;
require {
attribute can_read_shadow_passwords;
type openvpn_t;
type shadow_t;
# type initrc_var_run_t;
# type chkpwd_exec_t;
class file { read getattr lock execute execute_no_trans };
class netlink_audit_socket { create write nlmsg_relay read };
class capability audit_write;
}
#============= openvpn_t ==============
typeattribute openvpn_t can_read_shadow_passwords;
#allow openvpn_t chkpwd_exec_t:file { read execute execute_no_trans };
#allow openvpn_t initrc_var_run_t:file { read lock };
allow openvpn_t shadow_t:file { read getattr };
allow openvpn_t self:netlink_audit_socket { create write nlmsg_relay read };
allow openvpn_t self:capability audit_write;
I may try the same on RHEL 6 derivative later to see if there is any difference.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Sat Oct 29, 2011 10:50 pm
by janjust
I have the same version of selinux-policy installed
Code: Select all
# rpm -q selinux-policy
selinux-policy-2.4.6-316.el5
I downgraded to the EPEL Version of OpenVPN and reran my test: everything still works
I do not see any openvpn selinux policy, however:
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 31, 2011 3:24 am
by ybk
I tried RHEL6 derivative and openvpn-2.2.1-1.el6.i686 does not exhibit any selinux related problems I've been observing on my RHEL5 derivative.
Thanks for your time trying to reproduce errors. Probably not worth spending more time on this.
Re: selinux blocks openvpn-auth-pam.so plugin
Posted: Mon Oct 31, 2011 9:00 am
by janjust
nice to hear that ...
for me it was instructive to dive into the deeper working of selinux; here's a quick&dirty trick that might work for you on your el5 based system:
Code: Select all
chcon --type=file_t /usr/sbin/openvpn
this will change the default security context of the openvpn executable from 'openvpn_exec_t' to 'file_t' .