On 5/30/07, Daniel J Walsh dwalsh@redhat.com wrote:

Easiest thing to do is update policy with these two rules.

# grep openvpn /var/log/audit/audit.log | audit2allow -M myopenvpn # semodule -i myopenvpn.pp

This will add the following rules: allow openvpn_t pppd_t:fd use; allow openvpn_t self:process execstack;

The pppd_t:fd is probably a leaked file descriptor and could probably be dontaudited. The execstack is potentially a problem in openvpn_t. This is probably a coding problem and should be reported as a bug/

Daniel, do you mean a bug in SElinux or OpenVPN?

Best regards, Bernd.