Bug 1329897

Summary: SELinux blocks OpenVPN connection with NetworkManager
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: NetworkManager-openvpnAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: choeger, dcbw, ecnill.j, huzaifas, lkundrak, mgrepl, mhroncok, psimerda, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-26 12:23:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Miro Hrončok 2016-04-24 13:17:25 UTC
Description of problem:
I cannot connect to OpenVPN trough NetworkManager when SELinux is in enforcing mode

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-1.0.8-2.fc23.x86_64
selinux-policy-3.13.1-158.9.fc23.noarch

Steps to Reproduce:
1. Crete an OpenVPN connection trough NetworkManager
2. Try to connect

Actual results:
Connection fails for unknown reason

# grep openvpn /var/log/audit/audit.log
type=AVC msg=audit(1461503083.125:2856): avc:  denied  { open } for  pid=20868 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1461503147.364:2869): avc:  denied  { open } for  pid=20979 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1461503457.674:2902): avc:  denied  { open } for  pid=21341 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1


Expected results:
Should connect in default config

Workaround:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 1 Thomas Haller 2016-04-24 19:09:42 UTC
Are you using certificate files?

(check the settings via `nmcli connection show $CONNECTION_NAME`)


Those files must be readable by openvpn, also in terms of SELinux.
Usually, they should be in ~/.certs, as this directory has proper labels.

Comment 2 Miro Hrončok 2016-04-24 22:17:05 UTC
Yes I am, I have them in a different folder.

If I move them to ~/.certs, I get:
type=AVC msg=audit(1461536162.965:578): avc:  denied  { open } for  pid=731 comm="openvpn" path="/home/churchyard/.certs/hroncmir.crt" dev="dm-3" ino=7087887 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Comment 3 Thomas Haller 2016-04-25 13:41:50 UTC
In principle, you can also have the files in a different directory, as long as the labeling is correct. But if you put files to a different directory (e.g. when downloading them), they get a wrong label by default.

Moving files doesn't change the SELinux label. Copying would...


What gives:


 ls -lZ ~/.cert/*

 restorecon -Rv ~/.cert

 ls -lZ ~/.cert/*

Comment 4 Thomas Haller 2016-04-25 16:00:12 UTC
Anyway, so the answer to this bug is, that since currently we are using certificates from files, then the SELinux labeling has to be right. There is not much we can do about that.

This inevitable leads to quirks like this.


The long-term solution will be to use pkcs11 and store the certificates in a certificate store. https://wiki.gnome.org/Projects/NetworkManager/PKCS11


It's a dupe of bug 1074830

Comment 5 Miro Hrončok 2016-04-26 11:29:56 UTC
[~]$ ls -lZ ~/.certs/*
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 1935  5. led 16.10 /home/churchyard/.certs/ca.crt
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 6368  5. led 16.10 /home/churchyard/.certs/hroncmir.crt
-rw-------. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 2500  5. led 16.10 /home/churchyard/.certs/hroncmir.key
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0  188  5. led 16.10 /home/churchyard/.certs/vpn-rozvoj-fit.conf

[~]$ restorecon -Rv ~/.certs

[~]$ ls -lZ ~/.certs/*
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 1935  5. led 16.10 /home/churchyard/.certs/ca.crt
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 6368  5. led 16.10 /home/churchyard/.certs/hroncmir.crt
-rw-------. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 2500  5. led 16.10 /home/churchyard/.certs/hroncmir.key
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0  188  5. led 16.10 /home/churchyard/.certs/vpn-rozvoj-fit.conf


[~]$ cp -r .certs/ .cert


[~]$ ls -lZ ~/.cert/*
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 1935 26. dub 13.27 /home/churchyard/.cert/ca.crt
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 6368 26. dub 13.27 /home/churchyard/.cert/hroncmir.crt
-rw-------. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 2500 26. dub 13.27 /home/churchyard/.cert/hroncmir.key
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0  188 26. dub 13.27 /home/churchyard/.cert/vpn-rozvoj-fit.conf

[~]$ restorecon -Rv ~/.cert

[~]$ ls -lZ ~/.cert/*
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 1935 26. dub 13.28 /home/churchyard/.cert/ca.crt
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 6368 26. dub 13.28 /home/churchyard/.cert/hroncmir.crt
-rw-------. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 2500 26. dub 13.28 /home/churchyard/.cert/hroncmir.key
-rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0  188 26. dub 13.28 /home/churchyard/.cert/vpn-rozvoj-fit.conf


I don't see much difference.

Comment 6 Miro Hrončok 2016-04-26 11:30:29 UTC
Oh, unconfined_u:object_r:user_home_t:s0 -> unconfined_u:object_r:home_cert_t:s0

Will try that folder as well.

Comment 7 Miro Hrončok 2016-04-26 11:35:20 UTC
Yep, copying to ~/.cert actually works.

Is this documented? And where?

Comment 8 Thomas Haller 2016-04-26 12:23:31 UTC
Ah, sorry. Initially I said "certs". Should be "cert".

I don't know about documentation about this, but the selinux-policy defines which labels to apply to .cert.



I am duping this to bug 1074830 (on rawhide), see
https://bugzilla.redhat.com/show_bug.cgi?id=1074830#c16 for the reason why.

*** This bug has been marked as a duplicate of bug 1074830 ***