Description of problem: NetworkManager-openvpn uses a management socket to send credentials to openvpn child processes. In the latest package version, this socket is now a Unix socket below /run/NetworkManager. SELinux prevents openvpn from accessing this socket. Version-Release number of selected component (if applicable): NetworkManager-openvpn.3.20141110gitda5fb9b.fc21 (updates-testing) selinux-policy.3.13.1 How reproducible: always Steps to Reproduce: 1. Create an OpenVPN connection through NetworkManager 2. Try to connect Actual results: SELinux prevents openvpn from accessing /var/run/NetworkManager, and therefore openvpn never gets the credentials for the connection. Expected results: SELinux should allow openvpn to access the management socket (although not necessarily below /run/NetworkManager) Additional info: NetworkManager-openvpn, previously: https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=738fa8edb684e0968f1d52327e978066bca82484#n1123 NetworkManager-openvpn, now: https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=da5fb9#n1187 SETroubleshoot Details: SELinux is preventing openvpn from search access on the directory NetworkManager. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that openvpn should be allowed search access on the NetworkManager directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context system_u:object_r:NetworkManager_var_run_t:s0 Target Objects NetworkManager [ dir ] Source openvpn Source Path openvpn Port <Unknown> Host lski-029 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-92.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lski-029 Platform Linux lski-029 3.17.2-300.fc21.x86_64 #1 SMP Thu Oct 30 19:23:48 UTC 2014 x86_64 x86_64 Alert Count 3 First Seen 2014-11-14 09:36:18 CET Last Seen 2014-11-14 09:37:49 CET Local ID f8abf0db-94b8-4aa5-b847-71d616e60e50 Raw Audit Messages type=AVC msg=audit(1415954269.733:4013): avc: denied { search } for pid=7508 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=19883 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0 Hash: openvpn,openvpn_t,NetworkManager_var_run_t,dir,search
*** Bug 1164186 has been marked as a duplicate of this bug. ***
commit 1e7882e582e0d769e87263dd0f1dcb0feaa663b3 Author: Lukas Vrabec <lvrabec> Date: Fri Nov 14 12:54:40 2014 +0100 Allow openvpn to stream connect to networkmanager. BZ(1164182)
I now get type=AVC msg=audit(1415984220.840:449): avc: denied { write } for pid=2327 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=21852 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=0 with selinux-policy-3.13.1-96.fc21.
Description of problem: 1. Create an openvpn connection with a pre-shared key from user's home directory (might be or not be important) 2. Activate the connection Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.2-300.fc21.x86_64 type: libreport
Description of problem: Tried to connect to openvpn network. Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.2-300.fc21.x86_64 type: libreport
Description of problem: Starting an existing VPN Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.2-300.fc21.x86_64 type: libreport
Description of problem: See also bug 1165572. Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport
I get the following with selinux-policy-3.13.1-96.fc21.noarch in permissive mode: # ausearch -ts recent -m AVC ---- time->Wed Nov 19 10:22:44 2014 type=AVC msg=audit(1416388964.261:1041): avc: denied { write } for pid=26587 comm="openvpn" name="NetworkManager" dev="tmpfs" ino=22979 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1 ---- time->Wed Nov 19 10:22:44 2014 type=AVC msg=audit(1416388964.261:1042): avc: denied { remove_name } for pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1 ---- time->Wed Nov 19 10:22:44 2014 type=AVC msg=audit(1416388964.261:1043): avc: denied { unlink } for pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" dev="tmpfs" ino=52653 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Wed Nov 19 10:22:44 2014 type=AVC msg=audit(1416388964.261:1044): avc: denied { add_name } for pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1 ---- time->Wed Nov 19 10:22:44 2014 type=AVC msg=audit(1416388964.261:1045): avc: denied { create } for pid=26587 comm="openvpn" name="nm-openvpn-8bbe9b2a-0a1b-4a38-8773-bde72eef87ea" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file permissive=1 or in short # ausearch -ts recent -m AVC | audit2allow #============= openvpn_t ============== allow openvpn_t NetworkManager_var_run_t:dir { write remove_name add_name }; allow openvpn_t NetworkManager_var_run_t:sock_file { create unlink }; HTH bye, Sumit
*** This bug has been marked as a duplicate of bug 1165110 ***