Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: normal Dear Maintainer,
OpenVPN allows one to use socket files for the management interface instead of TCP ports. This is important in servers where non-admin users are also allowed to SSH in, because limits their access to the management interface. Example directive: management /run/openvpn/server.sock unix management-client-user root management-client-group root However there is no SELinux rule in the current and future (2:2.20200502-1 has checked) versions of packages, that allows creation of such socket file. So, it was denied during start\stop of the service and logged as messages: ---------------- type=AVC msg=audit(1591045213.430:2109): avc: denied { unlink } for pid=8880 comm="openvpn" name="server.sock" dev="tmpfs" ino=13559 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1591045213.434:2110): avc: denied { create } for pid=8880 comm="openvpn" name="server.sock" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_run_t:s0 tclass=sock_file permissive=1 ---------------- So I had to create one by my own: +++ $ cat ovpn_sock.te module ovpn_sock 1.0; require { type openvpn_var_run_t; type openvpn_t; class sock_file { create unlink }; } #============= openvpn_t ============== allow openvpn_t openvpn_var_run_t:sock_file { create unlink }; +++ I wonder if it would be possible to integrate this into the package shipped in the Debian. Thank you. -- System Information: Debian Release: 9.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information