Description of problem: This always happens when I connect to a VPN via the menubar in the top right (Networkmanager, I guess). I'm using ecryptfs for my home directory. The VPN comes up and works just fine, but this SELinux alert is always triggered. This always happens when I connect to a VPN via the menubar in the top right (Networkmanager, I guess). I'm using ecryptfs for my home directory. The VPN comes up and works just fine, but this SELinux alert is always triggered. SELinux is preventing openvpn from 'write' accesses on the file /home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that openvpn should be allowed write access on the ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk-- file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn # semodule -X 300 -i my-openvpn.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:ecryptfs_t:s0 Target Objects /home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_E NCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMt S4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi 8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ8 2---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-T L1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_F NEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e 5pLyCx2IpXdCFS0LTyfJvk-- [ file ] Source openvpn Source Path openvpn Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.29.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 5 First Seen 2018-03-29 19:32:06 PDT Last Seen 2018-04-12 13:11:56 PDT Local ID 7c504bd9-56e9-4167-a734-8f6e8f7d8ed3 Raw Audit Messages type=AVC msg=audit(1523563916.270:190226): avc: denied { write } for pid=27017 comm="openvpn" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--" dev="nvme0n1p6" ino=42304 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: openvpn,openvpn_t,ecryptfs_t,file,write Version-Release number of selected component: selinux-policy-3.13.1-283.29.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.13-300.fc27.x86_64 type: libreport Potential duplicate: bug 1046300
Hi, Do you have 'use_ecryptfs_home_dirs' boolean enabled? If not please do: # semanage boolean -m --on use_ecryptfs_home_dirs If you issue is still persists, please re-open this bug. THanks, Lukas.
Yes, use_ecryptfs_home_dirs (and openvpn_enable_homedirs) is enabled, and always has been: $ getsebool -a | grep home | grep on openvpn_enable_homedirs --> on spamd_enable_home_dirs --> on use_ecryptfs_home_dirs --> on
While I mentioned that the OpenVPN connection still works, this appears to be only valid for a very simple configuration that is setup here. The interesting part may be: auth-user-pass userpass.txt ca ca.crt crl-verify crl.pem And the AVC is always and only reporting 'denied { write }' for "ca.crt", which is fine because that file should not be written to anyway. And as the "read" appears to succeed, the VPN connection comes up just fine. However, slightly more elaborate OpenVPN configuration on the same machine does not work: ca ca.crt tls-auth ta.key 1 pkcs12 cert.p12 cert cert.pem Here, each connection triggers multiple alerts, again complaining about 'denied { write }' for two files (cert.p12 & cert.pem), both considered to be read-only anyway: type=AVC msg=audit(1523847819.996:40910): avc: denied { write } for pid=1613 comm="nm-openvpn-serv" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e3b9mnKgn34UYLOHN2b-Lsk--/ECRYPTFS_FNEK_ENCRYPTED.FXZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eOzFaLpOKDSc0fP3hZlRKGNqpKDtp7zPNKaY0UfeSfiQ-" dev="nvme0n1p6" ino=1611621518 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 * comm="nm-openvpn-serv" only complained about cert.p12 * comm="openvpn" complained about both cert.p12 and cert.pem After a while it gives up and the OpenVPN connection is not coming up. Manually starting the configuration via the commandline (and via sudo) works fine.
selinux-policy-3.13.1-283.34.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Still happening after upgrading to F28 when connecting to the same VPN profile: # rpm -q selinux-policy selinux-policy-3.14.1-24.fc28.noarch # ausearch -m avc -ts recent ---- time->Thu May 10 18:08:01 2018 type=AVC msg=audit(1526000881.421:2485): avc: denied { write } for pid=17015 comm="openvpn" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--" dev="nvme0n1p6" ino=42304 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.