1openvpn_selinux(8) SELinux Policy openvpn openvpn_selinux(8)
2
3
4
6 openvpn_selinux - Security Enhanced Linux Policy for the openvpn pro‐
7 cesses
8
10 Security-Enhanced Linux secures the openvpn processes via flexible
11 mandatory access control.
12
13 The openvpn processes execute with the openvpn_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openvpn_t
20
21
22
24 The openvpn_t SELinux type can be entered via the openvpn_exec_t file
25 type.
26
27 The default entrypoint paths for the openvpn_t domain are the follow‐
28 ing:
29
30 /usr/sbin/openvpn
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 openvpn policy is very flexible allowing users to setup their openvpn
40 processes in as secure a method as possible.
41
42 The following process types are defined for openvpn:
43
44 openvpn_t, openvpn_unconfined_script_t
45
46 Note: semanage permissive -a openvpn_t can be used to make the process
47 type openvpn_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. openvpn
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run openvpn with the tightest access possi‐
56 ble.
57
58
59
60 If you want to determine whether openvpn can connect to the TCP net‐
61 work, you must turn on the openvpn_can_network_connect boolean. Enabled
62 by default.
63
64 setsebool -P openvpn_can_network_connect 1
65
66
67
68 If you want to determine whether openvpn can read generic user home
69 content files, you must turn on the openvpn_enable_homedirs boolean.
70 Enabled by default.
71
72 setsebool -P openvpn_enable_homedirs 1
73
74
75
76 If you want to allow openvpn to run unconfined scripts, you must turn
77 on the openvpn_run_unconfined boolean. Enabled by default.
78
79 setsebool -P openvpn_run_unconfined 1
80
81
82
83 If you want to allow users to resolve user passwd entries directly from
84 ldap rather then using a sssd server, you must turn on the authlo‐
85 gin_nsswitch_use_ldap boolean. Disabled by default.
86
87 setsebool -P authlogin_nsswitch_use_ldap 1
88
89
90
91 If you want to allow all daemons to write corefiles to /, you must turn
92 on the daemons_dump_core boolean. Disabled by default.
93
94 setsebool -P daemons_dump_core 1
95
96
97
98 If you want to enable cluster mode for daemons, you must turn on the
99 daemons_enable_cluster_mode boolean. Enabled by default.
100
101 setsebool -P daemons_enable_cluster_mode 1
102
103
104
105 If you want to allow all daemons to use tcp wrappers, you must turn on
106 the daemons_use_tcp_wrapper boolean. Disabled by default.
107
108 setsebool -P daemons_use_tcp_wrapper 1
109
110
111
112 If you want to allow all daemons the ability to read/write terminals,
113 you must turn on the daemons_use_tty boolean. Disabled by default.
114
115 setsebool -P daemons_use_tty 1
116
117
118
119 If you want to deny any process from ptracing or debugging any other
120 processes, you must turn on the deny_ptrace boolean. Enabled by
121 default.
122
123 setsebool -P deny_ptrace 1
124
125
126
127 If you want to allow any process to mmap any file on system with
128 attribute file_type, you must turn on the domain_can_mmap_files bool‐
129 ean. Enabled by default.
130
131 setsebool -P domain_can_mmap_files 1
132
133
134
135 If you want to allow all domains write to kmsg_device, while kernel is
136 executed with systemd.log_target=kmsg parameter, you must turn on the
137 domain_can_write_kmsg boolean. Disabled by default.
138
139 setsebool -P domain_can_write_kmsg 1
140
141
142
143 If you want to allow all domains to use other domains file descriptors,
144 you must turn on the domain_fd_use boolean. Enabled by default.
145
146 setsebool -P domain_fd_use 1
147
148
149
150 If you want to allow all domains to have the kernel load modules, you
151 must turn on the domain_kernel_load_modules boolean. Disabled by
152 default.
153
154 setsebool -P domain_kernel_load_modules 1
155
156
157
158 If you want to allow all domains to execute in fips_mode, you must turn
159 on the fips_mode boolean. Enabled by default.
160
161 setsebool -P fips_mode 1
162
163
164
165 If you want to enable reading of urandom for all domains, you must turn
166 on the global_ssp boolean. Disabled by default.
167
168 setsebool -P global_ssp 1
169
170
171
172 If you want to allow confined applications to run with kerberos, you
173 must turn on the kerberos_enabled boolean. Enabled by default.
174
175 setsebool -P kerberos_enabled 1
176
177
178
179 If you want to allow system to run with NIS, you must turn on the
180 nis_enabled boolean. Disabled by default.
181
182 setsebool -P nis_enabled 1
183
184
185
186 If you want to allow confined applications to use nscd shared memory,
187 you must turn on the nscd_use_shm boolean. Disabled by default.
188
189 setsebool -P nscd_use_shm 1
190
191
192
193 If you want to support ecryptfs home directories, you must turn on the
194 use_ecryptfs_home_dirs boolean. Disabled by default.
195
196 setsebool -P use_ecryptfs_home_dirs 1
197
198
199
200 If you want to support NFS home directories, you must turn on the
201 use_nfs_home_dirs boolean. Disabled by default.
202
203 setsebool -P use_nfs_home_dirs 1
204
205
206
207 If you want to support SAMBA home directories, you must turn on the
208 use_samba_home_dirs boolean. Disabled by default.
209
210 setsebool -P use_samba_home_dirs 1
211
212
213
215 SELinux defines port types to represent TCP and UDP ports.
216
217 You can see the types associated with a port by using the following
218 command:
219
220 semanage port -l
221
222
223 Policy governs the access confined processes have to these ports.
224 SELinux openvpn policy is very flexible allowing users to setup their
225 openvpn processes in as secure a method as possible.
226
227 The following port types are defined for openvpn:
228
229
230 openvpn_port_t
231
232
233
234 Default Defined Ports:
235 tcp 1194
236 udp 1194
237
239 The SELinux process type openvpn_t can manage files labeled with the
240 following file types. The paths listed are the default paths for these
241 file types. Note the processes UID still need to have DAC permissions.
242
243 NetworkManager_var_run_t
244
245 /var/run/teamd(/.*)?
246 /var/run/nm-xl2tpd.conf.*
247 /var/run/nm-dhclient.*
248 /var/run/NetworkManager(/.*)?
249 /var/run/wpa_supplicant(/.*)?
250 /var/run/wicd.pid
251 /var/run/NetworkManager.pid
252 /var/run/nm-dns-dnsmasq.conf
253 /var/run/wpa_supplicant-global
254
255 cluster_conf_t
256
257 /etc/cluster(/.*)?
258
259 cluster_var_lib_t
260
261 /var/lib/pcsd(/.*)?
262 /var/lib/cluster(/.*)?
263 /var/lib/openais(/.*)?
264 /var/lib/pengine(/.*)?
265 /var/lib/corosync(/.*)?
266 /usr/lib/heartbeat(/.*)?
267 /var/lib/heartbeat(/.*)?
268 /var/lib/pacemaker(/.*)?
269
270 cluster_var_run_t
271
272 /var/run/crm(/.*)?
273 /var/run/cman_.*
274 /var/run/rsctmp(/.*)?
275 /var/run/aisexec.*
276 /var/run/heartbeat(/.*)?
277 /var/run/corosync-qnetd(/.*)?
278 /var/run/corosync-qdevice(/.*)?
279 /var/run/cpglockd.pid
280 /var/run/corosync.pid
281 /var/run/rgmanager.pid
282 /var/run/cluster/rgmanager.sk
283
284 faillog_t
285
286 /var/log/btmp.*
287 /var/log/faillog.*
288 /var/log/tallylog.*
289 /var/run/faillock(/.*)?
290
291 krb5_host_rcache_t
292
293 /var/cache/krb5rcache(/.*)?
294 /var/tmp/nfs_0
295 /var/tmp/DNS_25
296 /var/tmp/host_0
297 /var/tmp/imap_0
298 /var/tmp/HTTP_23
299 /var/tmp/HTTP_48
300 /var/tmp/ldap_55
301 /var/tmp/ldap_487
302 /var/tmp/ldapmap1_0
303
304 lastlog_t
305
306 /var/log/lastlog.*
307
308 net_conf_t
309
310 /etc/hosts[^/]*
311 /etc/yp.conf.*
312 /etc/denyhosts.*
313 /etc/hosts.deny.*
314 /etc/resolv.conf.*
315 /etc/.resolv.conf.*
316 /etc/resolv-secure.conf.*
317 /var/run/systemd/network(/.*)?
318 /etc/sysconfig/networking(/.*)?
319 /etc/sysconfig/network-scripts(/.*)?
320 /etc/sysconfig/network-scripts/.*resolv.conf
321 /var/run/NetworkManager/resolv.conf.*
322 /etc/ethers
323 /etc/ntp.conf
324 /var/run/systemd/resolve/resolv.conf
325
326 openvpn_etc_rw_t
327
328 /etc/openvpn/ipp.txt
329
330 openvpn_status_t
331
332 /var/log/openvpn-status.log.*
333
334 openvpn_tmp_t
335
336
337 openvpn_var_lib_t
338
339 /var/lib/openvpn(/.*)?
340
341 openvpn_var_log_t
342
343 /var/log/openvpn.*
344
345 openvpn_var_run_t
346
347 /var/run/openvpn(/.*)?
348 /var/run/openvpn.client.*
349
350 root_t
351
352 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
353 /
354 /initrd
355
356 security_t
357
358 /selinux
359
360 systemd_passwd_var_run_t
361
362 /var/run/systemd/ask-password(/.*)?
363 /var/run/systemd/ask-password-block(/.*)?
364
365
367 SELinux requires files to have an extended attribute to define the file
368 type.
369
370 You can see the context of a file using the -Z option to ls
371
372 Policy governs the access confined processes have to these files.
373 SELinux openvpn policy is very flexible allowing users to setup their
374 openvpn processes in as secure a method as possible.
375
376 EQUIVALENCE DIRECTORIES
377
378
379 openvpn policy stores data with multiple different file context types
380 under the /var/run/openvpn directory. If you would like to store the
381 data in a different directory you can use the semanage command to cre‐
382 ate an equivalence mapping. If you wanted to store this data under the
383 /srv dirctory you would execute the following command:
384
385 semanage fcontext -a -e /var/run/openvpn /srv/openvpn
386 restorecon -R -v /srv/openvpn
387
388 STANDARD FILE CONTEXT
389
390 SELinux defines the file context types for the openvpn, if you wanted
391 to store files with these types in a diffent paths, you need to execute
392 the semanage command to sepecify alternate labeling and then use
393 restorecon to put the labels on disk.
394
395 semanage fcontext -a -t openvpn_var_run_t '/srv/myopenvpn_con‐
396 tent(/.*)?'
397 restorecon -R -v /srv/myopenvpn_content
398
399 Note: SELinux often uses regular expressions to specify labels that
400 match multiple files.
401
402 The following file types are defined for openvpn:
403
404
405
406 openvpn_etc_rw_t
407
408 - Set files with the openvpn_etc_rw_t type, if you want to treat the
409 files as openvpn etc read/write content.
410
411
412
413 openvpn_etc_t
414
415 - Set files with the openvpn_etc_t type, if you want to store openvpn
416 files in the /etc directories.
417
418
419
420 openvpn_exec_t
421
422 - Set files with the openvpn_exec_t type, if you want to transition an
423 executable to the openvpn_t domain.
424
425
426
427 openvpn_initrc_exec_t
428
429 - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
430 tion an executable to the openvpn_initrc_t domain.
431
432
433
434 openvpn_status_t
435
436 - Set files with the openvpn_status_t type, if you want to treat the
437 files as openvpn status data.
438
439
440
441 openvpn_tmp_t
442
443 - Set files with the openvpn_tmp_t type, if you want to store openvpn
444 temporary files in the /tmp directories.
445
446
447
448 openvpn_unconfined_script_exec_t
449
450 - Set files with the openvpn_unconfined_script_exec_t type, if you want
451 to transition an executable to the openvpn_unconfined_script_t domain.
452
453
454
455 openvpn_var_lib_t
456
457 - Set files with the openvpn_var_lib_t type, if you want to store the
458 openvpn files under the /var/lib directory.
459
460
461
462 openvpn_var_log_t
463
464 - Set files with the openvpn_var_log_t type, if you want to treat the
465 data as openvpn var log data, usually stored under the /var/log direc‐
466 tory.
467
468
469
470 openvpn_var_run_t
471
472 - Set files with the openvpn_var_run_t type, if you want to store the
473 openvpn files under the /run or /var/run directory.
474
475
476 Paths:
477 /var/run/openvpn(/.*)?, /var/run/openvpn.client.*
478
479
480 Note: File context can be temporarily modified with the chcon command.
481 If you want to permanently change the file context you need to use the
482 semanage fcontext command. This will modify the SELinux labeling data‐
483 base. You will need to use restorecon to apply the labels.
484
485
487 semanage fcontext can also be used to manipulate default file context
488 mappings.
489
490 semanage permissive can also be used to manipulate whether or not a
491 process type is permissive.
492
493 semanage module can also be used to enable/disable/install/remove pol‐
494 icy modules.
495
496 semanage port can also be used to manipulate the port definitions
497
498 semanage boolean can also be used to manipulate the booleans
499
500
501 system-config-selinux is a GUI tool available to customize SELinux pol‐
502 icy settings.
503
504
506 This manual page was auto-generated using sepolicy manpage .
507
508
510 selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1), sepol‐
511 icy(8) , setsebool(8), openvpn_unconfined_script_selinux(8), open‐
512 vpn_unconfined_script_selinux(8)
513
514
515
516openvpn 19-04-25 openvpn_selinux(8)