1openvpn_selinux(8) SELinux Policy openvpn openvpn_selinux(8)
2
3
4
6 openvpn_selinux - Security Enhanced Linux Policy for the openvpn pro‐
7 cesses
8
10 Security-Enhanced Linux secures the openvpn processes via flexible
11 mandatory access control.
12
13 The openvpn processes execute with the openvpn_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openvpn_t
20
21
22
24 The openvpn_t SELinux type can be entered via the openvpn_exec_t file
25 type.
26
27 The default entrypoint paths for the openvpn_t domain are the follow‐
28 ing:
29
30 /usr/sbin/openvpn
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 openvpn policy is very flexible allowing users to setup their openvpn
40 processes in as secure a method as possible.
41
42 The following process types are defined for openvpn:
43
44 openvpn_t, openvpn_unconfined_script_t
45
46 Note: semanage permissive -a openvpn_t can be used to make the process
47 type openvpn_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. openvpn
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run openvpn with the tightest access possi‐
56 ble.
57
58
59
60 If you want to determine whether openvpn can connect to the TCP net‐
61 work, you must turn on the openvpn_can_network_connect boolean. Enabled
62 by default.
63
64 setsebool -P openvpn_can_network_connect 1
65
66
67
68 If you want to allow openvpn to run unconfined scripts, you must turn
69 on the openvpn_run_unconfined boolean. Disabled by default.
70
71 setsebool -P openvpn_run_unconfined 1
72
73
74
75 If you want to allow all domains to execute in fips_mode, you must turn
76 on the fips_mode boolean. Enabled by default.
77
78 setsebool -P fips_mode 1
79
80
81
82 If you want to allow confined applications to run with kerberos, you
83 must turn on the kerberos_enabled boolean. Enabled by default.
84
85 setsebool -P kerberos_enabled 1
86
87
88
89 If you want to allow system to run with NIS, you must turn on the
90 nis_enabled boolean. Disabled by default.
91
92 setsebool -P nis_enabled 1
93
94
95
96 If you want to support ecryptfs home directories, you must turn on the
97 use_ecryptfs_home_dirs boolean. Disabled by default.
98
99 setsebool -P use_ecryptfs_home_dirs 1
100
101
102
104 SELinux defines port types to represent TCP and UDP ports.
105
106 You can see the types associated with a port by using the following
107 command:
108
109 semanage port -l
110
111
112 Policy governs the access confined processes have to these ports.
113 SELinux openvpn policy is very flexible allowing users to setup their
114 openvpn processes in as secure a method as possible.
115
116 The following port types are defined for openvpn:
117
118
119 openvpn_port_t
120
121
122
123 Default Defined Ports:
124 tcp 1194
125 udp 1194
126
128 The SELinux process type openvpn_t can manage files labeled with the
129 following file types. The paths listed are the default paths for these
130 file types. Note the processes UID still need to have DAC permissions.
131
132 NetworkManager_var_run_t
133
134 /var/run/teamd(/.*)?
135 /var/run/nm-xl2tpd.conf.*
136 /var/run/nm-dhclient.*
137 /var/run/NetworkManager(/.*)?
138 /var/run/wpa_supplicant(/.*)?
139 /var/run/wicd.pid
140 /var/run/NetworkManager.pid
141 /var/run/nm-dns-dnsmasq.conf
142 /var/run/wpa_supplicant-global
143
144 cluster_conf_t
145
146 /etc/cluster(/.*)?
147
148 cluster_var_lib_t
149
150 /var/lib/pcsd(/.*)?
151 /var/lib/cluster(/.*)?
152 /var/lib/openais(/.*)?
153 /var/lib/pengine(/.*)?
154 /var/lib/corosync(/.*)?
155 /usr/lib/heartbeat(/.*)?
156 /var/lib/heartbeat(/.*)?
157 /var/lib/pacemaker(/.*)?
158
159 cluster_var_run_t
160
161 /var/run/crm(/.*)?
162 /var/run/cman_.*
163 /var/run/rsctmp(/.*)?
164 /var/run/aisexec.*
165 /var/run/heartbeat(/.*)?
166 /var/run/pcsd-ruby.socket
167 /var/run/corosync-qnetd(/.*)?
168 /var/run/corosync-qdevice(/.*)?
169 /var/run/corosync.pid
170 /var/run/cpglockd.pid
171 /var/run/rgmanager.pid
172 /var/run/cluster/rgmanager.sk
173
174 faillog_t
175
176 /var/log/btmp.*
177 /var/log/faillog.*
178 /var/log/tallylog.*
179 /var/run/faillock(/.*)?
180
181 krb5_host_rcache_t
182
183 /var/tmp/krb5_0.rcache2
184 /var/cache/krb5rcache(/.*)?
185 /var/tmp/nfs_0
186 /var/tmp/DNS_25
187 /var/tmp/host_0
188 /var/tmp/imap_0
189 /var/tmp/HTTP_23
190 /var/tmp/HTTP_48
191 /var/tmp/ldap_55
192 /var/tmp/ldap_487
193 /var/tmp/ldapmap1_0
194
195 lastlog_t
196
197 /var/log/lastlog.*
198
199 openvpn_etc_rw_t
200
201 /etc/openvpn/ipp.txt
202
203 openvpn_status_t
204
205 /var/log/openvpn-status.log.*
206
207 openvpn_tmp_t
208
209
210 openvpn_var_lib_t
211
212 /var/lib/openvpn(/.*)?
213
214 openvpn_var_log_t
215
216 /var/log/openvpn.*
217
218 openvpn_var_run_t
219
220 /var/run/openvpn(/.*)?
221 /var/run/openvpn.client.*
222 /var/run/openvpn-server(/.*)?
223
224 root_t
225
226 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
227 /
228 /initrd
229
230 security_t
231
232 /selinux
233
234 systemd_passwd_var_run_t
235
236 /var/run/systemd/ask-password(/.*)?
237 /var/run/systemd/ask-password-block(/.*)?
238
239 vpnc_var_run_t
240
241 /var/run/vpnc(/.*)?
242
243
245 SELinux requires files to have an extended attribute to define the file
246 type.
247
248 You can see the context of a file using the -Z option to ls
249
250 Policy governs the access confined processes have to these files.
251 SELinux openvpn policy is very flexible allowing users to setup their
252 openvpn processes in as secure a method as possible.
253
254 EQUIVALENCE DIRECTORIES
255
256
257 openvpn policy stores data with multiple different file context types
258 under the /var/run/openvpn directory. If you would like to store the
259 data in a different directory you can use the semanage command to cre‐
260 ate an equivalence mapping. If you wanted to store this data under the
261 /srv directory you would execute the following command:
262
263 semanage fcontext -a -e /var/run/openvpn /srv/openvpn
264 restorecon -R -v /srv/openvpn
265
266 STANDARD FILE CONTEXT
267
268 SELinux defines the file context types for the openvpn, if you wanted
269 to store files with these types in a diffent paths, you need to execute
270 the semanage command to specify alternate labeling and then use re‐
271 storecon to put the labels on disk.
272
273 semanage fcontext -a -t openvpn_var_run_t '/srv/myopenvpn_con‐
274 tent(/.*)?'
275 restorecon -R -v /srv/myopenvpn_content
276
277 Note: SELinux often uses regular expressions to specify labels that
278 match multiple files.
279
280 The following file types are defined for openvpn:
281
282
283
284 openvpn_etc_rw_t
285
286 - Set files with the openvpn_etc_rw_t type, if you want to treat the
287 files as openvpn etc read/write content.
288
289
290
291 openvpn_etc_t
292
293 - Set files with the openvpn_etc_t type, if you want to store openvpn
294 files in the /etc directories.
295
296
297
298 openvpn_exec_t
299
300 - Set files with the openvpn_exec_t type, if you want to transition an
301 executable to the openvpn_t domain.
302
303
304
305 openvpn_initrc_exec_t
306
307 - Set files with the openvpn_initrc_exec_t type, if you want to transi‐
308 tion an executable to the openvpn_initrc_t domain.
309
310
311
312 openvpn_status_t
313
314 - Set files with the openvpn_status_t type, if you want to treat the
315 files as openvpn status data.
316
317
318
319 openvpn_tmp_t
320
321 - Set files with the openvpn_tmp_t type, if you want to store openvpn
322 temporary files in the /tmp directories.
323
324
325
326 openvpn_unconfined_script_exec_t
327
328 - Set files with the openvpn_unconfined_script_exec_t type, if you want
329 to transition an executable to the openvpn_unconfined_script_t domain.
330
331
332
333 openvpn_var_lib_t
334
335 - Set files with the openvpn_var_lib_t type, if you want to store the
336 openvpn files under the /var/lib directory.
337
338
339
340 openvpn_var_log_t
341
342 - Set files with the openvpn_var_log_t type, if you want to treat the
343 data as openvpn var log data, usually stored under the /var/log direc‐
344 tory.
345
346
347
348 openvpn_var_run_t
349
350 - Set files with the openvpn_var_run_t type, if you want to store the
351 openvpn files under the /run or /var/run directory.
352
353
354 Paths:
355 /var/run/openvpn(/.*)?, /var/run/openvpn.client.*, /var/run/open‐
356 vpn-server(/.*)?
357
358
359 Note: File context can be temporarily modified with the chcon command.
360 If you want to permanently change the file context you need to use the
361 semanage fcontext command. This will modify the SELinux labeling data‐
362 base. You will need to use restorecon to apply the labels.
363
364
366 semanage fcontext can also be used to manipulate default file context
367 mappings.
368
369 semanage permissive can also be used to manipulate whether or not a
370 process type is permissive.
371
372 semanage module can also be used to enable/disable/install/remove pol‐
373 icy modules.
374
375 semanage port can also be used to manipulate the port definitions
376
377 semanage boolean can also be used to manipulate the booleans
378
379
380 system-config-selinux is a GUI tool available to customize SELinux pol‐
381 icy settings.
382
383
385 This manual page was auto-generated using sepolicy manpage .
386
387
389 selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1), sepol‐
390 icy(8), setsebool(8), openvpn_unconfined_script_selinux(8), openvpn_un‐
391 confined_script_selinux(8)
392
393
394
395openvpn 23-02-03 openvpn_selinux(8)