1openvpn_selinux(8)          SELinux Policy openvpn          openvpn_selinux(8)
2
3
4

NAME

6       openvpn_selinux  -  Security Enhanced Linux Policy for the openvpn pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  openvpn  processes  via  flexible
11       mandatory access control.
12
13       The  openvpn processes execute with the openvpn_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvpn_t
20
21
22

ENTRYPOINTS

24       The  openvpn_t  SELinux type can be entered via the openvpn_exec_t file
25       type.
26
27       The default entrypoint paths for the openvpn_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/openvpn
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       openvpn  policy  is very flexible allowing users to setup their openvpn
40       processes in as secure a method as possible.
41
42       The following process types are defined for openvpn:
43
44       openvpn_t, openvpn_unconfined_script_t
45
46       Note: semanage permissive -a openvpn_t can be used to make the  process
47       type  openvpn_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  openvpn
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run openvpn with the tightest access possi‐
56       ble.
57
58
59
60       If you want to determine whether openvpn can connect to  the  TCP  net‐
61       work, you must turn on the openvpn_can_network_connect boolean. Enabled
62       by default.
63
64       setsebool -P openvpn_can_network_connect 1
65
66
67
68       If you want to allow openvpn to run unconfined scripts, you  must  turn
69       on the openvpn_run_unconfined boolean. Disabled by default.
70
71       setsebool -P openvpn_run_unconfined 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the kerberos_enabled boolean. Disabled by default.
84
85       setsebool -P kerberos_enabled 1
86
87
88
89       If  you  want  to  allow  system  to run with NIS, you must turn on the
90       nis_enabled boolean. Disabled by default.
91
92       setsebool -P nis_enabled 1
93
94
95
96       If you want to support ecryptfs home directories, you must turn on  the
97       use_ecryptfs_home_dirs boolean. Disabled by default.
98
99       setsebool -P use_ecryptfs_home_dirs 1
100
101
102

PORT TYPES

104       SELinux defines port types to represent TCP and UDP ports.
105
106       You  can  see  the  types associated with a port by using the following
107       command:
108
109       semanage port -l
110
111
112       Policy governs the access  confined  processes  have  to  these  ports.
113       SELinux  openvpn  policy is very flexible allowing users to setup their
114       openvpn processes in as secure a method as possible.
115
116       The following port types are defined for openvpn:
117
118
119       openvpn_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 1194
125                 udp 1194
126

MANAGED FILES

128       The SELinux process type openvpn_t can manage files  labeled  with  the
129       following file types.  The paths listed are the default paths for these
130       file types.  Note the processes UID still need to have DAC permissions.
131
132       NetworkManager_var_run_t
133
134            /var/run/teamd(/.*)?
135            /var/run/nm-xl2tpd.conf.*
136            /var/run/nm-dhclient.*
137            /var/run/NetworkManager(/.*)?
138            /var/run/wpa_supplicant(/.*)?
139            /var/run/wicd.pid
140            /var/run/NetworkManager.pid
141            /var/run/nm-dns-dnsmasq.conf
142            /var/run/wpa_supplicant-global
143
144       cluster_conf_t
145
146            /etc/cluster(/.*)?
147
148       cluster_var_lib_t
149
150            /var/lib/pcsd(/.*)?
151            /var/lib/cluster(/.*)?
152            /var/lib/openais(/.*)?
153            /var/lib/pengine(/.*)?
154            /var/lib/corosync(/.*)?
155            /usr/lib/heartbeat(/.*)?
156            /var/lib/heartbeat(/.*)?
157            /var/lib/pacemaker(/.*)?
158
159       cluster_var_run_t
160
161            /var/run/crm(/.*)?
162            /var/run/cman_.*
163            /var/run/rsctmp(/.*)?
164            /var/run/aisexec.*
165            /var/run/heartbeat(/.*)?
166            /var/run/corosync-qnetd(/.*)?
167            /var/run/corosync-qdevice(/.*)?
168            /var/run/corosync.pid
169            /var/run/cpglockd.pid
170            /var/run/rgmanager.pid
171            /var/run/cluster/rgmanager.sk
172
173       faillog_t
174
175            /var/log/btmp.*
176            /var/log/faillog.*
177            /var/log/tallylog.*
178            /var/run/faillock(/.*)?
179
180       lastlog_t
181
182            /var/log/lastlog.*
183
184       openvpn_etc_rw_t
185
186            /etc/openvpn/ipp.txt
187
188       openvpn_status_t
189
190            /var/log/openvpn-status.log.*
191
192       openvpn_var_lib_t
193
194            /var/lib/openvpn(/.*)?
195
196       openvpn_var_log_t
197
198            /var/log/openvpn.*
199
200       openvpn_var_run_t
201
202            /var/run/openvpn(/.*)?
203            /var/run/openvpn.client.*
204            /var/run/openvpn-server(/.*)?
205
206       root_t
207
208            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
209            /
210            /initrd
211
212       security_t
213
214            /selinux
215
216       systemd_passwd_var_run_t
217
218            /var/run/systemd/ask-password(/.*)?
219            /var/run/systemd/ask-password-block(/.*)?
220
221       vpnc_var_run_t
222
223            /var/run/vpnc(/.*)?
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy  governs  the  access  confined  processes  have to these files.
233       SELinux openvpn policy is very flexible allowing users to  setup  their
234       openvpn processes in as secure a method as possible.
235
236       EQUIVALENCE DIRECTORIES
237
238
239       openvpn  policy  stores data with multiple different file context types
240       under the /var/run/openvpn directory.  If you would like to  store  the
241       data  in a different directory you can use the semanage command to cre‐
242       ate an equivalence mapping.  If you wanted to store this data under the
243       /srv directory you would execute the following command:
244
245       semanage fcontext -a -e /var/run/openvpn /srv/openvpn
246       restorecon -R -v /srv/openvpn
247
248       STANDARD FILE CONTEXT
249
250       SELinux  defines  the file context types for the openvpn, if you wanted
251       to store files with these types in a diffent paths, you need to execute
252       the  semanage  command  to  sepecify  alternate  labeling  and then use
253       restorecon to put the labels on disk.
254
255       semanage  fcontext   -a   -t   openvpn_var_run_t   '/srv/myopenvpn_con‐
256       tent(/.*)?'
257       restorecon -R -v /srv/myopenvpn_content
258
259       Note:  SELinux  often  uses  regular expressions to specify labels that
260       match multiple files.
261
262       The following file types are defined for openvpn:
263
264
265
266       openvpn_etc_rw_t
267
268       - Set files with the openvpn_etc_rw_t type, if you want  to  treat  the
269       files as openvpn etc read/write content.
270
271
272
273       openvpn_etc_t
274
275       -  Set  files with the openvpn_etc_t type, if you want to store openvpn
276       files in the /etc directories.
277
278
279
280       openvpn_exec_t
281
282       - Set files with the openvpn_exec_t type, if you want to transition  an
283       executable to the openvpn_t domain.
284
285
286
287       openvpn_initrc_exec_t
288
289       - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
290       tion an executable to the openvpn_initrc_t domain.
291
292
293
294       openvpn_status_t
295
296       - Set files with the openvpn_status_t type, if you want  to  treat  the
297       files as openvpn status data.
298
299
300
301       openvpn_tmp_t
302
303       -  Set  files with the openvpn_tmp_t type, if you want to store openvpn
304       temporary files in the /tmp directories.
305
306
307
308       openvpn_unconfined_script_exec_t
309
310       - Set files with the openvpn_unconfined_script_exec_t type, if you want
311       to transition an executable to the openvpn_unconfined_script_t domain.
312
313
314
315       openvpn_var_lib_t
316
317       -  Set  files with the openvpn_var_lib_t type, if you want to store the
318       openvpn files under the /var/lib directory.
319
320
321
322       openvpn_var_log_t
323
324       - Set files with the openvpn_var_log_t type, if you want to  treat  the
325       data  as openvpn var log data, usually stored under the /var/log direc‐
326       tory.
327
328
329
330       openvpn_var_run_t
331
332       - Set files with the openvpn_var_run_t type, if you want to  store  the
333       openvpn files under the /run or /var/run directory.
334
335
336       Paths:
337            /var/run/openvpn(/.*)?,  /var/run/openvpn.client.*, /var/run/open‐
338            vpn-server(/.*)?
339
340
341       Note: File context can be temporarily modified with the chcon  command.
342       If  you want to permanently change the file context you need to use the
343       semanage fcontext command.  This will modify the SELinux labeling data‐
344       base.  You will need to use restorecon to apply the labels.
345
346

COMMANDS

348       semanage  fcontext  can also be used to manipulate default file context
349       mappings.
350
351       semanage permissive can also be used to manipulate  whether  or  not  a
352       process type is permissive.
353
354       semanage  module can also be used to enable/disable/install/remove pol‐
355       icy modules.
356
357       semanage port can also be used to manipulate the port definitions
358
359       semanage boolean can also be used to manipulate the booleans
360
361
362       system-config-selinux is a GUI tool available to customize SELinux pol‐
363       icy settings.
364
365

AUTHOR

367       This manual page was auto-generated using sepolicy manpage .
368
369

SEE ALSO

371       selinux(8),  openvpn(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
372       icy(8),   setsebool(8),   openvpn_unconfined_script_selinux(8),   open‐
373       vpn_unconfined_script_selinux(8)
374
375
376
377openvpn                            20-05-05                 openvpn_selinux(8)
Impressum