1openvpn_selinux(8)          SELinux Policy openvpn          openvpn_selinux(8)
2
3
4

NAME

6       openvpn_selinux  -  Security Enhanced Linux Policy for the openvpn pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  openvpn  processes  via  flexible
11       mandatory access control.
12
13       The  openvpn processes execute with the openvpn_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvpn_t
20
21
22

ENTRYPOINTS

24       The  openvpn_t  SELinux type can be entered via the openvpn_exec_t file
25       type.
26
27       The default entrypoint paths for the openvpn_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/openvpn
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       openvpn  policy  is very flexible allowing users to setup their openvpn
40       processes in as secure a method as possible.
41
42       The following process types are defined for openvpn:
43
44       openvpn_t, openvpn_unconfined_script_t
45
46       Note: semanage permissive -a openvpn_t can be used to make the  process
47       type  openvpn_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  openvpn
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run openvpn with the tightest access possi‐
56       ble.
57
58
59
60       If you want to determine whether openvpn can connect to  the  TCP  net‐
61       work, you must turn on the openvpn_can_network_connect boolean. Enabled
62       by default.
63
64       setsebool -P openvpn_can_network_connect 1
65
66
67
68       If you want to allow openvpn to run unconfined scripts, you  must  turn
69       on the openvpn_run_unconfined boolean. Disabled by default.
70
71       setsebool -P openvpn_run_unconfined 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the kerberos_enabled boolean. Enabled by default.
84
85       setsebool -P kerberos_enabled 1
86
87
88
89       If  you  want  to  allow  system  to run with NIS, you must turn on the
90       nis_enabled boolean. Disabled by default.
91
92       setsebool -P nis_enabled 1
93
94
95
96       If you want to support ecryptfs home directories, you must turn on  the
97       use_ecryptfs_home_dirs boolean. Disabled by default.
98
99       setsebool -P use_ecryptfs_home_dirs 1
100
101
102

PORT TYPES

104       SELinux defines port types to represent TCP and UDP ports.
105
106       You  can  see  the  types associated with a port by using the following
107       command:
108
109       semanage port -l
110
111
112       Policy governs the access  confined  processes  have  to  these  ports.
113       SELinux  openvpn  policy is very flexible allowing users to setup their
114       openvpn processes in as secure a method as possible.
115
116       The following port types are defined for openvpn:
117
118
119       openvpn_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 1194
125                 udp 1194
126

MANAGED FILES

128       The SELinux process type openvpn_t can manage files  labeled  with  the
129       following file types.  The paths listed are the default paths for these
130       file types.  Note the processes UID still need to have DAC permissions.
131
132       NetworkManager_var_run_t
133
134            /var/run/teamd(/.*)?
135            /var/run/nm-xl2tpd.conf.*
136            /var/run/nm-dhclient.*
137            /var/run/NetworkManager(/.*)?
138            /var/run/wpa_supplicant(/.*)?
139            /var/run/wicd.pid
140            /var/run/NetworkManager.pid
141            /var/run/nm-dns-dnsmasq.conf
142            /var/run/wpa_supplicant-global
143
144       cluster_conf_t
145
146            /etc/cluster(/.*)?
147
148       cluster_var_lib_t
149
150            /var/lib/pcsd(/.*)?
151            /var/lib/cluster(/.*)?
152            /var/lib/openais(/.*)?
153            /var/lib/pengine(/.*)?
154            /var/lib/corosync(/.*)?
155            /usr/lib/heartbeat(/.*)?
156            /var/lib/heartbeat(/.*)?
157            /var/lib/pacemaker(/.*)?
158
159       cluster_var_run_t
160
161            /var/run/crm(/.*)?
162            /var/run/cman_.*
163            /var/run/rsctmp(/.*)?
164            /var/run/aisexec.*
165            /var/run/heartbeat(/.*)?
166            /var/run/pcsd-ruby.socket
167            /var/run/corosync-qnetd(/.*)?
168            /var/run/corosync-qdevice(/.*)?
169            /var/run/corosync.pid
170            /var/run/cpglockd.pid
171            /var/run/rgmanager.pid
172            /var/run/cluster/rgmanager.sk
173
174       faillog_t
175
176            /var/log/btmp.*
177            /var/log/faillog.*
178            /var/log/tallylog.*
179            /var/run/faillock(/.*)?
180
181       krb5_host_rcache_t
182
183            /var/tmp/krb5_0.rcache2
184            /var/cache/krb5rcache(/.*)?
185            /var/tmp/nfs_0
186            /var/tmp/DNS_25
187            /var/tmp/host_0
188            /var/tmp/imap_0
189            /var/tmp/HTTP_23
190            /var/tmp/HTTP_48
191            /var/tmp/ldap_55
192            /var/tmp/ldap_487
193            /var/tmp/ldapmap1_0
194
195       lastlog_t
196
197            /var/log/lastlog.*
198
199       openvpn_etc_rw_t
200
201            /etc/openvpn/ipp.txt
202
203       openvpn_status_t
204
205            /var/log/openvpn-status.log.*
206
207       openvpn_tmp_t
208
209
210       openvpn_var_lib_t
211
212            /var/lib/openvpn(/.*)?
213
214       openvpn_var_log_t
215
216            /var/log/openvpn.*
217
218       openvpn_var_run_t
219
220            /var/run/openvpn(/.*)?
221            /var/run/openvpn.client.*
222            /var/run/openvpn-server(/.*)?
223
224       root_t
225
226            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
227            /
228            /initrd
229
230       security_t
231
232            /selinux
233
234       systemd_passwd_var_run_t
235
236            /var/run/systemd/ask-password(/.*)?
237            /var/run/systemd/ask-password-block(/.*)?
238
239       vpnc_var_run_t
240
241            /var/run/vpnc(/.*)?
242
243

FILE CONTEXTS

245       SELinux requires files to have an extended attribute to define the file
246       type.
247
248       You can see the context of a file using the -Z option to ls
249
250       Policy  governs  the  access  confined  processes  have to these files.
251       SELinux openvpn policy is very flexible allowing users to  setup  their
252       openvpn processes in as secure a method as possible.
253
254       EQUIVALENCE DIRECTORIES
255
256
257       openvpn  policy  stores data with multiple different file context types
258       under the /var/run/openvpn directory.  If you would like to  store  the
259       data  in a different directory you can use the semanage command to cre‐
260       ate an equivalence mapping.  If you wanted to store this data under the
261       /srv directory you would execute the following command:
262
263       semanage fcontext -a -e /var/run/openvpn /srv/openvpn
264       restorecon -R -v /srv/openvpn
265
266       STANDARD FILE CONTEXT
267
268       SELinux  defines  the file context types for the openvpn, if you wanted
269       to store files with these types in a diffent paths, you need to execute
270       the  semanage  command  to  specify alternate labeling and then use re‐
271       storecon to put the labels on disk.
272
273       semanage  fcontext   -a   -t   openvpn_var_run_t   '/srv/myopenvpn_con‐
274       tent(/.*)?'
275       restorecon -R -v /srv/myopenvpn_content
276
277       Note:  SELinux  often  uses  regular expressions to specify labels that
278       match multiple files.
279
280       The following file types are defined for openvpn:
281
282
283
284       openvpn_etc_rw_t
285
286       - Set files with the openvpn_etc_rw_t type, if you want  to  treat  the
287       files as openvpn etc read/write content.
288
289
290
291       openvpn_etc_t
292
293       -  Set  files with the openvpn_etc_t type, if you want to store openvpn
294       files in the /etc directories.
295
296
297
298       openvpn_exec_t
299
300       - Set files with the openvpn_exec_t type, if you want to transition  an
301       executable to the openvpn_t domain.
302
303
304
305       openvpn_initrc_exec_t
306
307       - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
308       tion an executable to the openvpn_initrc_t domain.
309
310
311
312       openvpn_status_t
313
314       - Set files with the openvpn_status_t type, if you want  to  treat  the
315       files as openvpn status data.
316
317
318
319       openvpn_tmp_t
320
321       -  Set  files with the openvpn_tmp_t type, if you want to store openvpn
322       temporary files in the /tmp directories.
323
324
325
326       openvpn_unconfined_script_exec_t
327
328       - Set files with the openvpn_unconfined_script_exec_t type, if you want
329       to transition an executable to the openvpn_unconfined_script_t domain.
330
331
332
333       openvpn_var_lib_t
334
335       -  Set  files with the openvpn_var_lib_t type, if you want to store the
336       openvpn files under the /var/lib directory.
337
338
339
340       openvpn_var_log_t
341
342       - Set files with the openvpn_var_log_t type, if you want to  treat  the
343       data  as openvpn var log data, usually stored under the /var/log direc‐
344       tory.
345
346
347
348       openvpn_var_run_t
349
350       - Set files with the openvpn_var_run_t type, if you want to  store  the
351       openvpn files under the /run or /var/run directory.
352
353
354       Paths:
355            /var/run/openvpn(/.*)?,  /var/run/openvpn.client.*, /var/run/open‐
356            vpn-server(/.*)?
357
358
359       Note: File context can be temporarily modified with the chcon  command.
360       If  you want to permanently change the file context you need to use the
361       semanage fcontext command.  This will modify the SELinux labeling data‐
362       base.  You will need to use restorecon to apply the labels.
363
364

COMMANDS

366       semanage  fcontext  can also be used to manipulate default file context
367       mappings.
368
369       semanage permissive can also be used to manipulate  whether  or  not  a
370       process type is permissive.
371
372       semanage  module can also be used to enable/disable/install/remove pol‐
373       icy modules.
374
375       semanage port can also be used to manipulate the port definitions
376
377       semanage boolean can also be used to manipulate the booleans
378
379
380       system-config-selinux is a GUI tool available to customize SELinux pol‐
381       icy settings.
382
383

AUTHOR

385       This manual page was auto-generated using sepolicy manpage .
386
387

SEE ALSO

389       selinux(8),  openvpn(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
390       icy(8), setsebool(8), openvpn_unconfined_script_selinux(8), openvpn_un‐
391       confined_script_selinux(8)
392
393
394
395openvpn                            21-11-19                 openvpn_selinux(8)
Impressum