Bug 1260939 - SELinux is preventing openvpn from 'open' accesses on the file 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274.
Summary: SELinux is preventing openvpn from 'open' accesses on the file 2F686F6D652F63...
Keywords:
Status: CLOSED DUPLICATE of bug 1074830
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 24
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:46b2b84a95888552442542dec77...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-08 09:28 UTC by Christian Stadelmann
Modified: 2023-09-14 03:04 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-28 11:17:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Christian Stadelmann 2015-09-08 09:28:07 UTC 
Description of problem:
This AVC happens when I try to connect to an openvpn instance from a GNOME/Wayland session using gnome-control-center & NetworkManager.
Please note that I don't know whether this should be allowed (missing rule in SeLinux) or whether NetworkManager is doing something wrong.
SELinux is preventing openvpn from 'open' accesses on the file 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274.

*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If sie 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 an den Standard-Speicherort verschieben möchten, so das openvpn  open Zugriff hat.
Then sie müssen die cert-Datei ins ~/.cert-Verzeichnis verschieben
Do
# mv 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 ~/.cert
# restorecon -R -v ~/.cert


*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If sie die Kennzeichnung von 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 ändern möchten, so dass openvpn open Zugriff darauf hat
Then sie müssen die Markierungen korrigieren.
Do
# semanage fcontext -a -t home_cert_t 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274
# restorecon -R -v 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274


*****  Plugin catchall (6.38 confidence) suggests   **************************

If sie denken, dass es openvpn standardmässig erlaubt sein sollte, open Zugriff auf 2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                2F686F6D652F63687269737469616E2F464155206365727473
                              2F52525A452D56504E2D43412E637274 [ file ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-146.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.0-1.fc23.x86_64 #1 SMP Mon Aug
                              31 15:57:27 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-09-08 11:18:00 CEST
Last Seen                     2015-09-08 11:18:09 CEST
Local ID                      540f0190-f7b1-420b-8b98-1c354fbbd20a

Raw Audit Messages
type=AVC msg=audit(1441703889.720:953): avc:  denied  { open } for  pid=18826 comm="openvpn" path=2F686F6D652F63687269737469616E2F4641552063657274732F52525A452D56504E2D43412E637274 dev="dm-0" ino=17849 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: openvpn,openvpn_t,user_home_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-146.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-1.fc23.x86_64
type:           libreport

Potential duplicate: bug 849784
Comment 1 Miroslav Grepl 2015-09-11 12:51:24 UTC 
Ok we need to review this issue. Basically this is NM vs. random location of certs in HOMEDIR.
Comment 2 Daniel Walsh 2015-09-11 19:14:41 UTC 
Maybe work with NM Team to place certs in proper directory.
Comment 3 David 2015-11-07 11:32:52 UTC 
Description of problem:
Was trying to setup OpenVPN via Network manager.  I did get it to work eventually but had to use  setenforce 0

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 4 David 2015-11-07 15:24:09 UTC 
Description of problem:
SELinux won't let my VPN connection connect (which is annoying).


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 5 David 2015-11-12 14:50:59 UTC 
Description of problem:
Was trying to connect my VPN to p2p1.


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 6 David 2015-11-12 14:53:45 UTC 
Description of problem:
Was trying to connect to my VPN (worked perfectly prior to now).


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 8 Christian Stadelmann 2016-05-28 11:09:15 UTC 
Still present in F24. This prevents most users from using OpenVPN at all.

Workaround: Copy your certificate to /opt or /etc, e.g. /etc/pki. Make sure it is readable by all users.
Comment 9 Christian Stadelmann 2016-05-28 11:17:06 UTC 

*** This bug has been marked as a duplicate of bug 1074830 ***
Comment 10 Red Hat Bugzilla 2023-09-14 03:04:59 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.