Description of problem: I cannot connect to OpenVPN trough NetworkManager when SELinux is in enforcing mode Version-Release number of selected component (if applicable): NetworkManager-openvpn-1.0.8-2.fc23.x86_64 selinux-policy-3.13.1-158.9.fc23.noarch Steps to Reproduce: 1. Crete an OpenVPN connection trough NetworkManager 2. Try to connect Actual results: Connection fails for unknown reason # grep openvpn /var/log/audit/audit.log type=AVC msg=audit(1461503083.125:2856): avc: denied { open } for pid=20868 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1461503147.364:2869): avc: denied { open } for pid=20979 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0 type=AVC msg=audit(1461503457.674:2902): avc: denied { open } for pid=21341 comm="openvpn" path=2F686F6D652F636875726368796172642F537461C5BE656EC3A92F76706E2F68726F6E636D69722E637274 dev="dm-3" ino=7087220 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 Expected results: Should connect in default config Workaround: # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Are you using certificate files? (check the settings via `nmcli connection show $CONNECTION_NAME`) Those files must be readable by openvpn, also in terms of SELinux. Usually, they should be in ~/.certs, as this directory has proper labels.
Yes I am, I have them in a different folder. If I move them to ~/.certs, I get: type=AVC msg=audit(1461536162.965:578): avc: denied { open } for pid=731 comm="openvpn" path="/home/churchyard/.certs/hroncmir.crt" dev="dm-3" ino=7087887 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
In principle, you can also have the files in a different directory, as long as the labeling is correct. But if you put files to a different directory (e.g. when downloading them), they get a wrong label by default. Moving files doesn't change the SELinux label. Copying would... What gives: ls -lZ ~/.cert/* restorecon -Rv ~/.cert ls -lZ ~/.cert/*
Anyway, so the answer to this bug is, that since currently we are using certificates from files, then the SELinux labeling has to be right. There is not much we can do about that. This inevitable leads to quirks like this. The long-term solution will be to use pkcs11 and store the certificates in a certificate store. https://wiki.gnome.org/Projects/NetworkManager/PKCS11 It's a dupe of bug 1074830
[~]$ ls -lZ ~/.certs/* -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 1935 5. led 16.10 /home/churchyard/.certs/ca.crt -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 6368 5. led 16.10 /home/churchyard/.certs/hroncmir.crt -rw-------. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 2500 5. led 16.10 /home/churchyard/.certs/hroncmir.key -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 188 5. led 16.10 /home/churchyard/.certs/vpn-rozvoj-fit.conf [~]$ restorecon -Rv ~/.certs [~]$ ls -lZ ~/.certs/* -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 1935 5. led 16.10 /home/churchyard/.certs/ca.crt -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 6368 5. led 16.10 /home/churchyard/.certs/hroncmir.crt -rw-------. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 2500 5. led 16.10 /home/churchyard/.certs/hroncmir.key -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:user_home_t:s0 188 5. led 16.10 /home/churchyard/.certs/vpn-rozvoj-fit.conf [~]$ cp -r .certs/ .cert [~]$ ls -lZ ~/.cert/* -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 1935 26. dub 13.27 /home/churchyard/.cert/ca.crt -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 6368 26. dub 13.27 /home/churchyard/.cert/hroncmir.crt -rw-------. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 2500 26. dub 13.27 /home/churchyard/.cert/hroncmir.key -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 188 26. dub 13.27 /home/churchyard/.cert/vpn-rozvoj-fit.conf [~]$ restorecon -Rv ~/.cert [~]$ ls -lZ ~/.cert/* -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 1935 26. dub 13.28 /home/churchyard/.cert/ca.crt -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 6368 26. dub 13.28 /home/churchyard/.cert/hroncmir.crt -rw-------. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 2500 26. dub 13.28 /home/churchyard/.cert/hroncmir.key -rw-r--r--. 1 churchyard churchyard unconfined_u:object_r:home_cert_t:s0 188 26. dub 13.28 /home/churchyard/.cert/vpn-rozvoj-fit.conf I don't see much difference.
Oh, unconfined_u:object_r:user_home_t:s0 -> unconfined_u:object_r:home_cert_t:s0 Will try that folder as well.
Yep, copying to ~/.cert actually works. Is this documented? And where?
Ah, sorry. Initially I said "certs". Should be "cert". I don't know about documentation about this, but the selinux-policy defines which labels to apply to .cert. I am duping this to bug 1074830 (on rawhide), see https://bugzilla.redhat.com/show_bug.cgi?id=1074830#c16 for the reason why. *** This bug has been marked as a duplicate of bug 1074830 ***