From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 9 May 2013 21:58:43 +0200
Subject: [refpolicy] [PATCH 1/1] Allow openvpn temporary files
Message-ID: <20130509195843.GA8851@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When launching OpenVPN, it fails to start and the following error 
is displayed in the openvpn.log file:

Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission
denied

The AVC denial shows an attempt to read/write/search in tmp_t directory. A quick
check through the code does not show any attempts to create directories, only
temporary file, so create an openvpn_tmp_t with the proper file transition
towards it.

See also https://bugs.gentoo.org/show_bug.cgi?id=468636

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 openvpn.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/openvpn.te b/openvpn.te
index ad85917..ac11789 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -32,6 +32,9 @@ init_script_file(openvpn_initrc_exec_t)
 type openvpn_status_t;
 logging_log_file(openvpn_status_t)
 
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
 type openvpn_var_log_t;
 logging_log_file(openvpn_var_log_t)
 
@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
 allow openvpn_t openvpn_status_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
 
+allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-- 
1.8.1.5