1openvpn_selinux(8)          SELinux Policy openvpn          openvpn_selinux(8)
2
3
4

NAME

6       openvpn_selinux  -  Security Enhanced Linux Policy for the openvpn pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  openvpn  processes  via  flexible
11       mandatory access control.
12
13       The  openvpn processes execute with the openvpn_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvpn_t
20
21
22

ENTRYPOINTS

24       The  openvpn_t  SELinux type can be entered via the openvpn_exec_t file
25       type.
26
27       The default entrypoint paths for the openvpn_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/openvpn
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       openvpn  policy  is very flexible allowing users to setup their openvpn
40       processes in as secure a method as possible.
41
42       The following process types are defined for openvpn:
43
44       openvpn_unconfined_script_t, openvpn_t
45
46       Note: semanage permissive -a openvpn_t can be used to make the  process
47       type  openvpn_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  openvpn
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run openvpn with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow openvpn to read home directories, you must turn on
61       the openvpn_enable_homedirs boolean. Enabled by default.
62
63       setsebool -P openvpn_enable_homedirs 1
64
65
66
67       If  you  want to allow openvpn to run unconfined scripts, you must turn
68       on the openvpn_run_unconfined boolean. Disabled by default.
69
70       setsebool -P openvpn_run_unconfined 1
71
72
73
74       If you want to allow all daemons to write corefiles to /, you must turn
75       on the allow_daemons_dump_core boolean. Disabled by default.
76
77       setsebool -P allow_daemons_dump_core 1
78
79
80
81       If  you want to allow all daemons to use tcp wrappers, you must turn on
82       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
83
84       setsebool -P allow_daemons_use_tcp_wrapper 1
85
86
87
88       If you want to allow all daemons the ability to  read/write  terminals,
89       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
90       default.
91
92       setsebool -P allow_daemons_use_tty 1
93
94
95
96       If you want to allow all domains to use other domains file descriptors,
97       you must turn on the allow_domain_fd_use boolean. Enabled by default.
98
99       setsebool -P allow_domain_fd_use 1
100
101
102
103       If  you  want  to allow confined applications to run with kerberos, you
104       must turn on the allow_kerberos boolean. Enabled by default.
105
106       setsebool -P allow_kerberos 1
107
108
109
110       If you want to allow sysadm to debug or ptrace all processes, you  must
111       turn on the allow_ptrace boolean. Disabled by default.
112
113       setsebool -P allow_ptrace 1
114
115
116
117       If  you  want  to  allow  system  to run with NIS, you must turn on the
118       allow_ypbind boolean. Disabled by default.
119
120       setsebool -P allow_ypbind 1
121
122
123
124       If you want to enable cluster mode for daemons, you must  turn  on  the
125       daemons_enable_cluster_mode boolean. Disabled by default.
126
127       setsebool -P daemons_enable_cluster_mode 1
128
129
130
131       If  you  want to allow all domains to have the kernel load modules, you
132       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
133       default.
134
135       setsebool -P domain_kernel_load_modules 1
136
137
138
139       If you want to allow all domains to execute in fips_mode, you must turn
140       on the fips_mode boolean. Enabled by default.
141
142       setsebool -P fips_mode 1
143
144
145
146       If you want to enable reading of urandom for all domains, you must turn
147       on the global_ssp boolean. Disabled by default.
148
149       setsebool -P global_ssp 1
150
151
152
153       If you want to enable support for upstart as the init program, you must
154       turn on the init_upstart boolean. Enabled by default.
155
156       setsebool -P init_upstart 1
157
158
159
160       If you want to allow confined applications to use nscd  shared  memory,
161       you must turn on the nscd_use_shm boolean. Enabled by default.
162
163       setsebool -P nscd_use_shm 1
164
165
166
167       If  you  want  to  support  NFS  home directories, you must turn on the
168       use_nfs_home_dirs boolean. Disabled by default.
169
170       setsebool -P use_nfs_home_dirs 1
171
172
173
174       If you want to support SAMBA home directories, you  must  turn  on  the
175       use_samba_home_dirs boolean. Disabled by default.
176
177       setsebool -P use_samba_home_dirs 1
178
179
180

PORT TYPES

182       SELinux defines port types to represent TCP and UDP ports.
183
184       You  can  see  the  types associated with a port by using the following
185       command:
186
187       semanage port -l
188
189
190       Policy governs the access  confined  processes  have  to  these  ports.
191       SELinux  openvpn  policy is very flexible allowing users to setup their
192       openvpn processes in as secure a method as possible.
193
194       The following port types are defined for openvpn:
195
196
197       openvpn_port_t
198
199
200
201       Default Defined Ports:
202                 tcp 1194
203                 udp 1194
204

MANAGED FILES

206       The SELinux process type openvpn_t can manage files  labeled  with  the
207       following file types.  The paths listed are the default paths for these
208       file types.  Note the processes UID still need to have DAC permissions.
209
210       cluster_conf_t
211
212            /etc/cluster(/.*)?
213
214       cluster_var_lib_t
215
216            /var/lib(64)?/openais(/.*)?
217            /var/lib(64)?/pengine(/.*)?
218            /var/lib(64)?/corosync(/.*)?
219            /usr/lib(64)?/heartbeat(/.*)?
220            /var/lib(64)?/heartbeat(/.*)?
221            /var/lib(64)?/pacemaker(/.*)?
222            /var/lib/cluster(/.*)?
223
224       cluster_var_run_t
225
226            /var/run/crm(/.*)?
227            /var/run/cman_.*
228            /var/run/rsctmp(/.*)?
229            /var/run/aisexec.*
230            /var/run/heartbeat(/.*)?
231            /var/run/cpglockd.pid
232            /var/run/corosync.pid
233            /var/run/rgmanager.pid
234            /var/run/cluster/rgmanager.sk
235
236       faillog_t
237
238            /var/log/btmp.*
239            /var/log/faillog.*
240            /var/log/tallylog.*
241            /var/run/faillock(/.*)?
242
243       initrc_tmp_t
244
245
246       krb5_host_rcache_t
247
248            /var/cache/krb5rcache(/.*)?
249            /var/tmp/host_0
250            /var/tmp/HTTP_23
251
252       lastlog_t
253
254            /var/log/lastlog.*
255
256       mnt_t
257
258            /mnt(/[^/]*)
259            /mnt(/[^/]*)?
260            /rhev(/[^/]*)?
261            /media(/[^/]*)
262            /media(/[^/]*)?
263            /etc/rhgb(/.*)?
264            /media/.hal-.*
265            /net
266            /afs
267            /rhev
268            /misc
269
270       net_conf_t
271
272            /etc/ntpd?.conf.*
273            /etc/yp.conf.*
274            /etc/denyhosts.*
275            /etc/hosts.deny.*
276            /etc/resolv.conf.*
277            /etc/ntp/step-tickers.*
278            /etc/sysconfig/networking(/.*)?
279            /etc/sysconfig/network-scripts(/.*)?
280            /etc/sysconfig/network-scripts/.*resolv.conf
281            /etc/hosts
282            /etc/ethers
283
284       openvpn_etc_rw_t
285
286            /etc/openvpn/ipp.txt
287
288       openvpn_tmp_t
289
290
291       openvpn_var_lib_t
292
293            /var/lib/openvpn(/.*)?
294
295       openvpn_var_log_t
296
297            /var/log/openvpn.*
298
299       openvpn_var_run_t
300
301            /var/run/openvpn(/.*)?
302
303       pcscd_var_run_t
304
305            /var/run/pcscd.events(/.*)?
306            /var/run/pcscd.pid
307            /var/run/pcscd.pub
308            /var/run/pcscd.comm
309
310       root_t
311
312            /
313            /initrd
314
315       security_t
316
317
318       tmp_t
319
320            /tmp
321            /usr/tmp
322            /var/tmp
323            /tmp-inst
324            /var/tmp-inst
325            /var/tmp/vi.recover
326
327

FILE CONTEXTS

329       SELinux requires files to have an extended attribute to define the file
330       type.
331
332       You can see the context of a file using the -Z option to ls
333
334       Policy  governs  the  access  confined  processes  have to these files.
335       SELinux openvpn policy is very flexible allowing users to  setup  their
336       openvpn processes in as secure a method as possible.
337
338       STANDARD FILE CONTEXT
339
340       SELinux  defines  the file context types for the openvpn, if you wanted
341       to store files with these types in a diffent paths, you need to execute
342       the  semanage  command  to  sepecify  alternate  labeling  and then use
343       restorecon to put the labels on disk.
344
345       semanage  fcontext   -a   -t   openvpn_var_run_t   '/srv/myopenvpn_con‐
346       tent(/.*)?'
347       restorecon -R -v /srv/myopenvpn_content
348
349       Note:  SELinux  often  uses  regular expressions to specify labels that
350       match multiple files.
351
352       The following file types are defined for openvpn:
353
354
355
356       openvpn_etc_rw_t
357
358       - Set files with the openvpn_etc_rw_t type, if you want  to  treat  the
359       files as openvpn etc read/write content.
360
361
362
363       openvpn_etc_t
364
365       -  Set  files with the openvpn_etc_t type, if you want to store openvpn
366       files in the /etc directories.
367
368
369
370       openvpn_exec_t
371
372       - Set files with the openvpn_exec_t type, if you want to transition  an
373       executable to the openvpn_t domain.
374
375
376
377       openvpn_initrc_exec_t
378
379       - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
380       tion an executable to the openvpn_initrc_t domain.
381
382
383
384       openvpn_tmp_t
385
386       - Set files with the openvpn_tmp_t type, if you want to  store  openvpn
387       temporary files in the /tmp directories.
388
389
390
391       openvpn_unconfined_script_exec_t
392
393       - Set files with the openvpn_unconfined_script_exec_t type, if you want
394       to transition an executable to the openvpn_unconfined_script_t domain.
395
396
397
398       openvpn_var_lib_t
399
400       - Set files with the openvpn_var_lib_t type, if you want to  store  the
401       openvpn files under the /var/lib directory.
402
403
404
405       openvpn_var_log_t
406
407       -  Set  files with the openvpn_var_log_t type, if you want to treat the
408       data as openvpn var log data, usually stored under the /var/log  direc‐
409       tory.
410
411
412
413       openvpn_var_run_t
414
415       -  Set  files with the openvpn_var_run_t type, if you want to store the
416       openvpn files under the /run or /var/run directory.
417
418
419
420       Note: File context can be temporarily modified with the chcon  command.
421       If  you want to permanently change the file context you need to use the
422       semanage fcontext command.  This will modify the SELinux labeling data‐
423       base.  You will need to use restorecon to apply the labels.
424
425

COMMANDS

427       semanage  fcontext  can also be used to manipulate default file context
428       mappings.
429
430       semanage permissive can also be used to manipulate  whether  or  not  a
431       process type is permissive.
432
433       semanage  module can also be used to enable/disable/install/remove pol‐
434       icy modules.
435
436       semanage port can also be used to manipulate the port definitions
437
438       semanage boolean can also be used to manipulate the booleans
439
440
441       system-config-selinux is a GUI tool available to customize SELinux pol‐
442       icy settings.
443
444

AUTHOR

446       This manual page was auto-generated using sepolicy manpage .
447
448

SEE ALSO

450       selinux(8),  openvpn(8),  semanage(8), restorecon(8), chcon(1) , setse‐
451       bool(8),      openvpn_unconfined_script_selinux(8),      openvpn_uncon‐
452       fined_script_selinux(8)
453
454
455
456openvpn                            15-06-03                 openvpn_selinux(8)
Impressum