[refpolicy] [PATCH 1/1] Allow openvpn temporary files

Sven Vermeulen sven.vermeulen at siphos.be
Thu May 9 15:58:43 EDT 2013

When launching OpenVPN, it fails to start and the following error 
is displayed in the openvpn.log file:

Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission

The AVC denial shows an attempt to read/write/search in tmp_t directory. A quick
check through the code does not show any attempts to create directories, only
temporary file, so create an openvpn_tmp_t with the proper file transition
towards it.

See also https://bugs.gentoo.org/show_bug.cgi?id=468636

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
 openvpn.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/openvpn.te b/openvpn.te
index ad85917..ac11789 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -32,6 +32,9 @@ init_script_file(openvpn_initrc_exec_t)
 type openvpn_status_t;
+type openvpn_tmp_t;
 type openvpn_var_log_t;
@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
 allow openvpn_t openvpn_status_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)

More information about the refpolicy mailing list