Bug 1046300

Summary: SELinux is preventing /usr/sbin/openvpn from 'write' accesses on the file /home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9Kg7DTilY0RgRIwg8c93nl32E--/ECRYPTFS_FNEK_ENCRYPTED.FXa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KgKp6...
Product: [Fedora] Fedora Reporter: Tore Anderson <tore>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:0f44368ed9bd31a57268f389074aff0f5546770a66e1d894ce5e194308f8b988
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 14:28:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tore Anderson 2013-12-24 11:50:13 UTC 
Description of problem:
Attempted to start a VPN tunnel from the NetworkManager systray applet.

This worked just fine with Fedora 19 and immediately after the upgrade to Fedora 20. After doing "yum upgrade" today and rebooting, the filsystem was relabelled, and the error started appearing. At the same time google-chrome (which is completely unrelated to openvpn) started producing similar errors, so I believe something must have broken during the upgrade:

tore@sloth:~$ sudo grep 'Dec 24.*selinux' /var/log/yum.log 
Dec 24 08:51:33 Updated: libselinux-2.2.1-4.fc20.x86_64
Dec 24 08:51:42 Updated: libselinux-2.2.1-4.fc20.i686
Dec 24 08:52:11 Updated: libselinux-devel-2.2.1-4.fc20.x86_64
Dec 24 08:52:14 Updated: libselinux-utils-2.2.1-4.fc20.x86_64
Dec 24 08:52:14 Updated: libselinux-python-2.2.1-4.fc20.x86_64

Note: This bug happens at the same time as bug #1046299. I consider it highly likely that they are duplicates, but as the SELinux troubleshooter applet detects them as different problems, I submit both of them for completeness.
SELinux is preventing /usr/sbin/openvpn from 'write' accesses on the file /home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9Kg7DTilY0RgRIwg8c93nl32E--/ECRYPTFS_FNEK_ENCRYPTED.FXa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KgKp6Jwa3Y8bFUVCZpploEK.nvKp11BNbrT5lYRe0eWm6-/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KggS.z1REQSVDPCwjbWTVkbE--.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed write access on the ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KggS.z1REQSVDPCwjbWTVkbE-- file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:ecryptfs_t:s0
Target Objects                /home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYP
                              TED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9Kg7DTilY0RgR
                              Iwg8c93nl32E--/ECRYPTFS_FNEK_ENCRYPTED.FXa1nQWjlbV
                              g0EQqeLUkiIx7X7oFBthnp9KgKp6Jwa3Y8bFUVCZpploEK.nvK
                              p11BNbrT5lYRe0eWm6-/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQ
                              WjlbVg0EQqeLUkiIx7X7oFBthnp9KggS.z1REQSVDPCwjbWTVk
                              bE-- [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openvpn-2.3.2-4.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
                              Dec 17 20:42:32 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-24 12:43:15 CET
Last Seen                     2013-12-24 12:43:15 CET
Local ID                      8068676b-076c-4448-859a-2dfa56ee4d07

Raw Audit Messages
type=AVC msg=audit(1387885395.547:557): avc:  denied  { write } for  pid=2213 comm="openvpn" path="/home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9Kg7DTilY0RgRIwg8c93nl32E--/ECRYPTFS_FNEK_ENCRYPTED.FXa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KgKp6Jwa3Y8bFUVCZpploEK.nvKp11BNbrT5lYRe0eWm6-/ECRYPTFS_FNEK_ENCRYPTED.FWa1nQWjlbVg0EQqeLUkiIx7X7oFBthnp9KggS.z1REQSVDPCwjbWTVkbE--" dev="sda3" ino=595570 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file


type=SYSCALL msg=audit(1387885395.547:557): arch=x86_64 syscall=access success=yes exit=0 a0=7fff89988ef3 a1=4 a2=0 a3=0 items=0 ppid=2208 pid=2213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,ecryptfs_t,file,write

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.5-302.fc20.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2014-01-06 14:28:59 UTC 

*** This bug has been marked as a duplicate of bug 1046299 ***