From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 May 2013 09:59:58 -0400
Subject: [refpolicy] [PATCH 1/1] Allow openvpn temporary files
In-Reply-To: <20130509195843.GA8851@siphos.be>
References: <20130509195843.GA8851@siphos.be>
Message-ID: <5192435E.6080400@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/09/13 15:58, Sven Vermeulen wrote:
> When launching OpenVPN, it fails to start and the following error 
> is displayed in the openvpn.log file:
> 
> Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission
> denied
> 
> The AVC denial shows an attempt to read/write/search in tmp_t directory. A quick
> check through the code does not show any attempts to create directories, only
> temporary file, so create an openvpn_tmp_t with the proper file transition
> towards it.
>
> See also https://bugs.gentoo.org/show_bug.cgi?id=468636

Merged.
 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  openvpn.te | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/openvpn.te b/openvpn.te
> index ad85917..ac11789 100644
> --- a/openvpn.te
> +++ b/openvpn.te
> @@ -32,6 +32,9 @@ init_script_file(openvpn_initrc_exec_t)
>  type openvpn_status_t;
>  logging_log_file(openvpn_status_t)
>  
> +type openvpn_tmp_t;
> +files_tmp_file(openvpn_tmp_t)
> +
>  type openvpn_var_log_t;
>  logging_log_file(openvpn_var_log_t)
>  
> @@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
>  allow openvpn_t openvpn_status_t:file manage_file_perms;
>  logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
>  
> +allow openvpn_t openvpn_tmp_t:file manage_file_perms;
> +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
> +
>  manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
>  append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
>  create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com