Bug 1733319

Summary: SELIinux failes to activate OpenVPN Policy
Product: [Fedora] Fedora Reporter: mock <mark>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 30CC: dwalsh, lvrabec, mark, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 11:17:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mock 2019-07-25 17:03:58 UTC 
Description of problem:
SELinux fails to activate the policy to allow it to read the certification file.


Version-Release number of selected component (if applicable):
policycoreutils.x86_64 - 2.9-1.fc30


How reproducible:
Consistently


Steps to Reproduce:
1. Build a new Fedora 30 workstation
2. Set up a new OpenVPN connection with existing key and cert files
3. Activate the VPN connection
4. Wait for SELinux to complain about access to any of the files used for the configuration
5. Try the troubleshooing suggestion to add a policy. Watch it throw an error


Actual results:
# ausearch -c 'openvpn' --raw | audit2allow -M openvpn
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i openvpn.pp

# semodule -X 100 -i openvpn.pp 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2



Expected results:
No response from the semodule command.


Additional info:
Comment 1 Zdenek Pytela 2019-07-26 07:05:33 UTC 
Hi,

We miss any data about the denial, so we can just suppose the key or cert files are mislabeled. To fix the labels along with the selinux policy, run this command:

  # /sbin/restorecon -v /etc

possibly with changing the path depending on the files reported, or setup the machine to relabel all filesystems on the next reboot:

  # fixfiles onboot

and reboot the system.

If that does not help, please include the output of

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

to display today's AVC messages.

Additionally, for a custom policy module a name different to existing one needs to be used, see:

  # semodule -l | grep openvpn
openvpn
Comment 2 mock 2019-07-29 11:17:53 UTC 
Seems using a name other than openvpn was the trick. I changed it to my-openvpn and installed the my-openvpn.pp module successfully.

Thanks for the help on this. I'll keep in mind the name of the policy module should be something customized.