Hide Forgot
Description of problem: Upon trying to activate the VPN interface, I received the pop-up advising me that it was blocked. SELinux is preventing /usr/sbin/openvpn from 'open' accesses on the file /home/marc/personalVPN/CN00318823.crt. ***** Plugin openvpn (47.5 confidence) suggests **************************** If you want to mv CN00318823.crt to standard location so that openvpn can have open access Then you must move the cert file to the ~/.cert directory Do # mv /home/marc/personalVPN/CN00318823.crt ~/.cert # restorecon -R -v ~/.cert ***** Plugin openvpn (47.5 confidence) suggests **************************** If you want to modify the label on CN00318823.crt so that openvpn can have open access on it Then you must fix the labels. Do # semanage fcontext -a -t home_cert_t /home/marc/personalVPN/CN00318823.crt # restorecon -R -v /home/marc/personalVPN/CN00318823.crt ***** Plugin catchall (6.38 confidence) suggests *************************** If you believe that openvpn should be allowed open access on the CN00318823.crt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/marc/personalVPN/CN00318823.crt [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host (removed) Source RPM Packages openvpn-2.3.2-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-73.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-09-03 16:46:59 EDT Last Seen 2013-09-05 17:57:28 EDT Local ID f008846c-ad32-4676-925c-4a86a1b87a2b Raw Audit Messages type=AVC msg=audit(1378418248.924:702): avc: denied { open } for pid=1996 comm="openvpn" path="/home/marc/personalVPN/CN00318823.crt" dev="dm-2" ino=11141302 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1378418248.924:702): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffcf992f0e a1=0 a2=1b6 a3=7fffcf990410 items=0 ppid=1992 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null) Hash: openvpn,openvpn_t,user_home_t,file,open Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport Potential duplicate: bug 849784
***** Plugin openvpn (47.5 confidence) suggests **************************** If you want to mv CN00318823.crt to standard location so that openvpn can have open access Then you must move the cert file to the ~/.cert directory Do # mv /home/marc/personalVPN/CN00318823.crt ~/.cert # restorecon -R -v ~/.cert or the change labeling how alert tells you.
This is a pretty good analysis by setroubleshoot, if I do say so myself. Option 1 and 2 are spot on.
I'm new to the Bugzilla world and really appreciate the help. The solution worked like a charm!