openvpn_selinux(8)

1openvpn_selinux(8)          SELinux Policy openvpn          openvpn_selinux(8)
2
3
4

NAME

6       openvpn_selinux  -  Security Enhanced Linux Policy for the openvpn pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  openvpn  processes  via  flexible
11       mandatory access control.
12
13       The  openvpn processes execute with the openvpn_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvpn_t
20
21
22

ENTRYPOINTS

24       The  openvpn_t  SELinux type can be entered via the openvpn_exec_t file
25       type.
26
27       The default entrypoint paths for the openvpn_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/openvpn
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       openvpn  policy  is very flexible allowing users to setup their openvpn
40       processes in as secure a method as possible.
41
42       The following process types are defined for openvpn:
43
44       openvpn_t, openvpn_unconfined_script_t
45
46       Note: semanage permissive -a openvpn_t can be used to make the  process
47       type  openvpn_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  openvpn
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run openvpn with the tightest access possi‐
56       ble.
57
58
59
60       If you want to determine whether openvpn can connect to  the  TCP  net‐
61       work, you must turn on the openvpn_can_network_connect boolean. Enabled
62       by default.
63
64       setsebool -P openvpn_can_network_connect 1
65
66
67
68       If you want to determine whether openvpn can  read  generic  user  home
69       content  files,  you  must turn on the openvpn_enable_homedirs boolean.
70       Enabled by default.
71
72       setsebool -P openvpn_enable_homedirs 1
73
74
75
76       If you want to allow openvpn to run unconfined scripts, you  must  turn
77       on the openvpn_run_unconfined boolean. Enabled by default.
78
79       setsebool -P openvpn_run_unconfined 1
80
81
82
83       If you want to allow users to resolve user passwd entries directly from
84       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
85       gin_nsswitch_use_ldap boolean. Disabled by default.
86
87       setsebool -P authlogin_nsswitch_use_ldap 1
88
89
90
91       If you want to allow all daemons to write corefiles to /, you must turn
92       on the daemons_dump_core boolean. Disabled by default.
93
94       setsebool -P daemons_dump_core 1
95
96
97
98       If you want to enable cluster mode for daemons, you must  turn  on  the
99       daemons_enable_cluster_mode boolean. Enabled by default.
100
101       setsebool -P daemons_enable_cluster_mode 1
102
103
104
105       If  you want to allow all daemons to use tcp wrappers, you must turn on
106       the daemons_use_tcp_wrapper boolean. Disabled by default.
107
108       setsebool -P daemons_use_tcp_wrapper 1
109
110
111
112       If you want to allow all daemons the ability to  read/write  terminals,
113       you must turn on the daemons_use_tty boolean. Disabled by default.
114
115       setsebool -P daemons_use_tty 1
116
117
118
119       If  you  want  to deny any process from ptracing or debugging any other
120       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
121       default.
122
123       setsebool -P deny_ptrace 1
124
125
126
127       If  you  want  to  allow  any  process  to mmap any file on system with
128       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
129       ean. Enabled by default.
130
131       setsebool -P domain_can_mmap_files 1
132
133
134
135       If  you want to allow all domains write to kmsg_device, while kernel is
136       executed with systemd.log_target=kmsg parameter, you must turn  on  the
137       domain_can_write_kmsg boolean. Disabled by default.
138
139       setsebool -P domain_can_write_kmsg 1
140
141
142
143       If you want to allow all domains to use other domains file descriptors,
144       you must turn on the domain_fd_use boolean. Enabled by default.
145
146       setsebool -P domain_fd_use 1
147
148
149
150       If you want to allow all domains to have the kernel load  modules,  you
151       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
152       default.
153
154       setsebool -P domain_kernel_load_modules 1
155
156
157
158       If you want to allow all domains to execute in fips_mode, you must turn
159       on the fips_mode boolean. Enabled by default.
160
161       setsebool -P fips_mode 1
162
163
164
165       If you want to enable reading of urandom for all domains, you must turn
166       on the global_ssp boolean. Disabled by default.
167
168       setsebool -P global_ssp 1
169
170
171
172       If you want to allow confined applications to run  with  kerberos,  you
173       must turn on the kerberos_enabled boolean. Enabled by default.
174
175       setsebool -P kerberos_enabled 1
176
177
178
179       If  you  want  to  allow  system  to run with NIS, you must turn on the
180       nis_enabled boolean. Disabled by default.
181
182       setsebool -P nis_enabled 1
183
184
185
186       If you want to allow confined applications to use nscd  shared  memory,
187       you must turn on the nscd_use_shm boolean. Disabled by default.
188
189       setsebool -P nscd_use_shm 1
190
191
192
193       If  you want to support ecryptfs home directories, you must turn on the
194       use_ecryptfs_home_dirs boolean. Disabled by default.
195
196       setsebool -P use_ecryptfs_home_dirs 1
197
198
199
200       If you want to support NFS home  directories,  you  must  turn  on  the
201       use_nfs_home_dirs boolean. Disabled by default.
202
203       setsebool -P use_nfs_home_dirs 1
204
205
206
207       If  you  want  to  support SAMBA home directories, you must turn on the
208       use_samba_home_dirs boolean. Disabled by default.
209
210       setsebool -P use_samba_home_dirs 1
211
212
213

PORT TYPES

215       SELinux defines port types to represent TCP and UDP ports.
216
217       You can see the types associated with a port  by  using  the  following
218       command:
219
220       semanage port -l
221
222
223       Policy  governs  the  access  confined  processes  have to these ports.
224       SELinux openvpn policy is very flexible allowing users to  setup  their
225       openvpn processes in as secure a method as possible.
226
227       The following port types are defined for openvpn:
228
229
230       openvpn_port_t
231
232
233
234       Default Defined Ports:
235                 tcp 1194
236                 udp 1194
237

MANAGED FILES

239       The  SELinux  process  type openvpn_t can manage files labeled with the
240       following file types.  The paths listed are the default paths for these
241       file types.  Note the processes UID still need to have DAC permissions.
242
243       NetworkManager_var_run_t
244
245            /var/run/teamd(/.*)?
246            /var/run/nm-xl2tpd.conf.*
247            /var/run/nm-dhclient.*
248            /var/run/NetworkManager(/.*)?
249            /var/run/wpa_supplicant(/.*)?
250            /var/run/wicd.pid
251            /var/run/NetworkManager.pid
252            /var/run/nm-dns-dnsmasq.conf
253            /var/run/wpa_supplicant-global
254
255       cluster_conf_t
256
257            /etc/cluster(/.*)?
258
259       cluster_var_lib_t
260
261            /var/lib/pcsd(/.*)?
262            /var/lib/cluster(/.*)?
263            /var/lib/openais(/.*)?
264            /var/lib/pengine(/.*)?
265            /var/lib/corosync(/.*)?
266            /usr/lib/heartbeat(/.*)?
267            /var/lib/heartbeat(/.*)?
268            /var/lib/pacemaker(/.*)?
269
270       cluster_var_run_t
271
272            /var/run/crm(/.*)?
273            /var/run/cman_.*
274            /var/run/rsctmp(/.*)?
275            /var/run/aisexec.*
276            /var/run/heartbeat(/.*)?
277            /var/run/corosync-qnetd(/.*)?
278            /var/run/corosync-qdevice(/.*)?
279            /var/run/cpglockd.pid
280            /var/run/corosync.pid
281            /var/run/rgmanager.pid
282            /var/run/cluster/rgmanager.sk
283
284       faillog_t
285
286            /var/log/btmp.*
287            /var/log/faillog.*
288            /var/log/tallylog.*
289            /var/run/faillock(/.*)?
290
291       krb5_host_rcache_t
292
293            /var/cache/krb5rcache(/.*)?
294            /var/tmp/nfs_0
295            /var/tmp/DNS_25
296            /var/tmp/host_0
297            /var/tmp/imap_0
298            /var/tmp/HTTP_23
299            /var/tmp/HTTP_48
300            /var/tmp/ldap_55
301            /var/tmp/ldap_487
302            /var/tmp/ldapmap1_0
303
304       lastlog_t
305
306            /var/log/lastlog.*
307
308       net_conf_t
309
310            /etc/hosts[^/]*
311            /etc/yp.conf.*
312            /etc/denyhosts.*
313            /etc/hosts.deny.*
314            /etc/resolv.conf.*
315            /etc/.resolv.conf.*
316            /etc/resolv-secure.conf.*
317            /var/run/systemd/network(/.*)?
318            /etc/sysconfig/networking(/.*)?
319            /etc/sysconfig/network-scripts(/.*)?
320            /etc/sysconfig/network-scripts/.*resolv.conf
321            /var/run/NetworkManager/resolv.conf.*
322            /etc/ethers
323            /etc/ntp.conf
324            /var/run/systemd/resolve/resolv.conf
325
326       openvpn_etc_rw_t
327
328            /etc/openvpn/ipp.txt
329
330       openvpn_status_t
331
332            /var/log/openvpn-status.log.*
333
334       openvpn_tmp_t
335
336
337       openvpn_var_lib_t
338
339            /var/lib/openvpn(/.*)?
340
341       openvpn_var_log_t
342
343            /var/log/openvpn.*
344
345       openvpn_var_run_t
346
347            /var/run/openvpn(/.*)?
348            /var/run/openvpn.client.*
349
350       root_t
351
352            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
353            /
354            /initrd
355
356       security_t
357
358            /selinux
359
360       systemd_passwd_var_run_t
361
362            /var/run/systemd/ask-password(/.*)?
363            /var/run/systemd/ask-password-block(/.*)?
364
365

FILE CONTEXTS

367       SELinux requires files to have an extended attribute to define the file
368       type.
369
370       You can see the context of a file using the -Z option to ls
371
372       Policy governs the access  confined  processes  have  to  these  files.
373       SELinux  openvpn  policy is very flexible allowing users to setup their
374       openvpn processes in as secure a method as possible.
375
376       EQUIVALENCE DIRECTORIES
377
378
379       openvpn policy stores data with multiple different file  context  types
380       under  the  /var/run/openvpn directory.  If you would like to store the
381       data in a different directory you can use the semanage command to  cre‐
382       ate an equivalence mapping.  If you wanted to store this data under the
383       /srv dirctory you would execute the following command:
384
385       semanage fcontext -a -e /var/run/openvpn /srv/openvpn
386       restorecon -R -v /srv/openvpn
387
388       STANDARD FILE CONTEXT
389
390       SELinux defines the file context types for the openvpn, if  you  wanted
391       to store files with these types in a diffent paths, you need to execute
392       the semanage command  to  sepecify  alternate  labeling  and  then  use
393       restorecon to put the labels on disk.
394
395       semanage   fcontext   -a   -t   openvpn_var_run_t  '/srv/myopenvpn_con‐
396       tent(/.*)?'
397       restorecon -R -v /srv/myopenvpn_content
398
399       Note: SELinux often uses regular expressions  to  specify  labels  that
400       match multiple files.
401
402       The following file types are defined for openvpn:
403
404
405
406       openvpn_etc_rw_t
407
408       -  Set  files  with the openvpn_etc_rw_t type, if you want to treat the
409       files as openvpn etc read/write content.
410
411
412
413       openvpn_etc_t
414
415       - Set files with the openvpn_etc_t type, if you want to  store  openvpn
416       files in the /etc directories.
417
418
419
420       openvpn_exec_t
421
422       -  Set files with the openvpn_exec_t type, if you want to transition an
423       executable to the openvpn_t domain.
424
425
426
427       openvpn_initrc_exec_t
428
429       - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
430       tion an executable to the openvpn_initrc_t domain.
431
432
433
434       openvpn_status_t
435
436       -  Set  files  with the openvpn_status_t type, if you want to treat the
437       files as openvpn status data.
438
439
440
441       openvpn_tmp_t
442
443       - Set files with the openvpn_tmp_t type, if you want to  store  openvpn
444       temporary files in the /tmp directories.
445
446
447
448       openvpn_unconfined_script_exec_t
449
450       - Set files with the openvpn_unconfined_script_exec_t type, if you want
451       to transition an executable to the openvpn_unconfined_script_t domain.
452
453
454
455       openvpn_var_lib_t
456
457       - Set files with the openvpn_var_lib_t type, if you want to  store  the
458       openvpn files under the /var/lib directory.
459
460
461
462       openvpn_var_log_t
463
464       -  Set  files with the openvpn_var_log_t type, if you want to treat the
465       data as openvpn var log data, usually stored under the /var/log  direc‐
466       tory.
467
468
469
470       openvpn_var_run_t
471
472       -  Set  files with the openvpn_var_run_t type, if you want to store the
473       openvpn files under the /run or /var/run directory.
474
475
476       Paths:
477            /var/run/openvpn(/.*)?, /var/run/openvpn.client.*
478
479
480       Note: File context can be temporarily modified with the chcon  command.
481       If  you want to permanently change the file context you need to use the
482       semanage fcontext command.  This will modify the SELinux labeling data‐
483       base.  You will need to use restorecon to apply the labels.
484
485

COMMANDS

487       semanage  fcontext  can also be used to manipulate default file context
488       mappings.
489
490       semanage permissive can also be used to manipulate  whether  or  not  a
491       process type is permissive.
492
493       semanage  module can also be used to enable/disable/install/remove pol‐
494       icy modules.
495
496       semanage port can also be used to manipulate the port definitions
497
498       semanage boolean can also be used to manipulate the booleans
499
500
501       system-config-selinux is a GUI tool available to customize SELinux pol‐
502       icy settings.
503
504

AUTHOR

506       This manual page was auto-generated using sepolicy manpage .
507
508