Bug 1286239

Summary: OpenVPN can't connect
Product: [Fedora] Fedora Reporter: Vít Ondruch <vondruch>
Component: NetworkManager-openvpnAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: choeger, dcbw, huzaifas, jklimes, lkundrak, psimerda, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-01 10:46:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vít Ondruch 2015-11-27 14:58:54 UTC 
Description of problem:
Nov 27 14:00:45 localhost NetworkManager[1076]: <info>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN connection: (ConnectInteractive) reply received
Nov 27 14:00:45 localhost nm-openvpn[2779]: Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission denied
Nov 27 14:00:45 localhost NetworkManager[1076]: <warn>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN plugin: failed: connect-failed (1)
Nov 27 14:00:45 localhost nm-openvpn[2779]: Options error: Please correct these errors.
Nov 27 14:00:45 localhost NetworkManager[1076]: <warn>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN plugin: failed: connect-failed (1)
Nov 27 14:00:45 localhost nm-openvpn[2779]: Use --help for more information.
Nov 27 14:00:45 localhost NetworkManager[1076]: <info>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN plugin: state changed: stopping (5)
Nov 27 14:00:45 localhost NetworkManager[1076]: <info>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN plugin: state changed: stopped (6)
Nov 27 14:00:45 localhost NetworkManager[1076]: (nm-openvpn-service:2732): nm-openvpn-WARNING **: openvpn exited with error code 1
Nov 27 14:00:45 localhost NetworkManager[1076]: <info>  vpn-connection[0x55d8fdddc520,cc410cf5-dc66-4369-81a0-cf3d0f656dfe,"OVPN BRQ UDP",0]: VPN plugin: state change reason: unknown (0)




This might be some SELinux related issue, since I observe this behavior after this update:

    Upgraded   selinux-policy-3.13.1-157.fc24.noarch                          @@commandline
    Upgrade                   3.13.1-160.fc24.noarch                          @rawhide
    Upgraded   selinux-policy-targeted-3.13.1-157.fc24.noarch                 @@commandline
    Upgrade                            3.13.1-160.fc24.noarch                 @rawhide




Version-Release number of selected component (if applicable):
$ rpm -q NetworkManager-openvpn
NetworkManager-openvpn-1.2.0-0.1.20151023gitadff387.fc24.x86_64


How reproducible:


Steps to Reproduce:
1. Try to connect to VPN via Gnome UI.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jirka Klimes 2015-11-30 13:48:22 UTC 
Let's see if it is SELinux related. Can you try again and see if there are some AVC?
$ sudo ausearch -m avc -ts recent

Does it work with?
$ sudo setenforce 0

It might be a problem with openvpn running as a non root user now. But let's first figure out whether it is SELinux issue.
Comment 2 Vít Ondruch 2015-11-30 14:24:13 UTC 
(In reply to Jirka Klimes from comment #1)
> Let's see if it is SELinux related. Can you try again and see if there are
> some AVC?
> $ sudo ausearch -m avc -ts recent

This is what I can find in my log:


----
time->Fri Nov 27 14:00:33 2015
type=PROCTITLE msg=audit(1448629233.469:567): proctitle=2F7573722F7362696E2F6F70656E76706E002D2D72656D6F7465006F76706E2D6272712E7265646861742E636F6D0034343300756470002D2D6E6F62696E64002D2D6465760074756E002D2D636
970686572004145532D3235362D434243002D2D617574682D6E6F6361636865002D2D746C732D72656D6F7465006F76706E2D
type=SYSCALL msg=audit(1448629233.469:567): arch=c000003e syscall=21 success=no exit=-13 a0=55de5778acc1 a1=7 a2=7 a3=55de59889d00 items=0 ppid=2732 pid=2751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1448629233.469:567): avc:  denied  { read write } for  pid=2751 comm="openvpn" name="/" dev="tmpfs" ino=9197 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov 27 14:00:45 2015
type=PROCTITLE msg=audit(1448629245.885:568): proctitle=2F7573722F7362696E2F6F70656E76706E002D2D72656D6F7465006F76706E2D6272712E7265646861742E636F6D0034343300756470002D2D6E6F62696E64002D2D6465760074756E002D2D636970686572004145532D3235362D434243002D2D617574682D6E6F6361636865002D2D746C732D72656D6F7465006F76706E2D
type=SYSCALL msg=audit(1448629245.885:568): arch=c000003e syscall=21 success=no exit=-13 a0=55827d2f2cc1 a1=7 a2=7 a3=55827e711d00 items=0 ppid=2732 pid=2779 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1448629245.885:568): avc:  denied  { read write } for  pid=2779 comm="openvpn" name="/" dev="tmpfs" ino=9197 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov 27 14:01:35 2015
type=PROCTITLE msg=audit(1448629295.066:571): proctitle=2F7573722F7362696E2F6F70656E76706E002D2D72656D6F7465006F76706E2D6272712E7265646861742E636F6D0034343300756470002D2D6E6F62696E64002D2D6465760074756E002D2D636970686572004145532D3235362D434243002D2D617574682D6E6F6361636865002D2D746C732D72656D6F7465006F76706E2D
type=SYSCALL msg=audit(1448629295.066:571): arch=c000003e syscall=21 success=no exit=-13 a0=55b3ac1d3cc1 a1=7 a2=7 a3=55b3acfe6d00 items=0 ppid=2732 pid=2887 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1448629295.066:571): avc:  denied  { read write } for  pid=2887 comm="openvpn" name="/" dev="tmpfs" ino=9197 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov 27 14:02:00 2015
type=PROCTITLE msg=audit(1448629320.714:572): proctitle=2F7573722F7362696E2F6F70656E76706E002D2D72656D6F7465006F76706E2D6272712E7265646861742E636F6D0034343300756470002D2D6E6F62696E64002D2D6465760074756E002D2D636970686572004145532D3235362D434243002D2D617574682D6E6F6361636865002D2D746C732D72656D6F7465006F76706E2D
type=SYSCALL msg=audit(1448629320.714:572): arch=c000003e syscall=21 success=no exit=-13 a0=55b391e36cc1 a1=7 a2=7 a3=55b3925ecd00 items=0 ppid=2732 pid=2920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1448629320.714:572): avc:  denied  { read write } for  pid=2920 comm="openvpn" name="/" dev="tmpfs" ino=9197 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
Comment 3 Vít Ondruch 2015-12-01 10:46:33 UTC 

*** This bug has been marked as a duplicate of bug 1286964 ***