Description of problem: This AVC happens when I try to connect to an openvpn instance from a GNOME/Wayland session using gnome-control-center & NetworkManager. Please note that I don't know whether this should be allowed (missing rule in SeLinux) or whether NetworkManager is doing something wrong. SELinux is preventing openvpn from 'open' accesses on the file 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274. ***** Plugin openvpn (47.5 confidence) suggests *************************** If sie 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 an den Standard-Speicherort verschieben möchten, so das openvpn open Zugriff hat. Then sie müssen die cert-Datei ins ~/.cert-Verzeichnis verschieben Do # mv 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 ~/.cert # restorecon -R -v ~/.cert ***** Plugin openvpn (47.5 confidence) suggests *************************** If sie die Kennzeichnung von 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 ändern möchten, so dass openvpn open Zugriff darauf hat Then sie müssen die Markierungen korrigieren. Do # semanage fcontext -a -t home_cert_t 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 # restorecon -R -v 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 ***** Plugin catchall (6.38 confidence) suggests ************************** If sie denken, dass es openvpn standardmässig erlaubt sein sollte, open Zugriff auf 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects 2F686F6D652F63687269737469616E2F464155206365727473 2F52525A452D56504E2D43412E637274 [ file ] Source openvpn Source Path openvpn Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-146.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-1.fc23.x86_64 #1 SMP Mon Aug 31 15:57:27 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-09-08 11:18:00 CEST Last Seen 2015-09-08 11:18:09 CEST Local ID 540f0190-f7b1-420b-8b98-1c354fbbd20a Raw Audit Messages type=AVC msg=audit(1441703889.720:953): avc: denied { open } for pid=18826 comm="openvpn" path=2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 dev="dm-0" ino=17849 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0 Hash: openvpn,openvpn_t,user_home_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-146.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-1.fc23.x86_64 type: libreport Potential duplicate: bug 849784
Ok we need to review this issue. Basically this is NM vs. random location of certs in HOMEDIR.
Maybe work with NM Team to place certs in proper directory.
Description of problem: Was trying to setup OpenVPN via Network manager. I did get it to work eventually but had to use setenforce 0 Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
Description of problem: SELinux won't let my VPN connection connect (which is annoying). Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
Description of problem: Was trying to connect my VPN to p2p1. Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
Description of problem: Was trying to connect to my VPN (worked perfectly prior to now). Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
Still present in F24. This prevents most users from using OpenVPN at all. Workaround: Copy your certificate to /opt or /etc, e.g. /etc/pki. Make sure it is readable by all users.
*** This bug has been marked as a duplicate of bug 1074830 ***
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days