Bug 1566706 - SELinux is preventing openvpn from 'write' accesses on the file /home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTS...
Summary: SELinux is preventing openvpn from 'write' accesses on the file /home/.ecrypt...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0f44368ed9bd31a57268f389074...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-12 20:15 UTC by Christian Kujau
Modified: 2018-05-26 20:44 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-283.34.fc27 selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-26 20:44:25 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Christian Kujau 2018-04-12 20:15:07 UTC
Description of problem:
This always happens when I connect to a VPN via the menubar in the top right (Networkmanager, I guess). I'm using ecryptfs for my home directory. The VPN comes up and works just fine, but this SELinux alert is always triggered.
This always happens when I connect to a VPN via the menubar in the top right (Networkmanager, I guess). I'm using ecryptfs for my home directory. The VPN comes up and works just fine, but this SELinux alert is always triggered.

SELinux is preventing openvpn from 'write' accesses on the file /home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--.


*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed write access on the ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk-- file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
# semodule -X 300 -i my-openvpn.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:ecryptfs_t:s0
Target Objects                /home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_E
                              NCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMt
                              S4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi
                              8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ8
                              2---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-T
                              L1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_F
                              NEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e
                              5pLyCx2IpXdCFS0LTyfJvk-- [ file ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.29.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.15.13-300.fc27.x86_64 #1 SMP Mon
                              Mar 26 19:06:57 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-03-29 19:32:06 PDT
Last Seen                     2018-04-12 13:11:56 PDT
Local ID                      7c504bd9-56e9-4167-a734-8f6e8f7d8ed3

Raw Audit Messages
type=AVC msg=audit(1523563916.270:190226): avc:  denied  { write } for  pid=27017 comm="openvpn" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--" dev="nvme0n1p6" ino=42304 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0


Hash: openvpn,openvpn_t,ecryptfs_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-283.29.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.13-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1046300

Comment 1 Lukas Vrabec 2018-04-13 16:07:17 UTC
Hi, 

Do you have 'use_ecryptfs_home_dirs' boolean enabled? 

If not please do:

# semanage boolean -m --on use_ecryptfs_home_dirs

If you issue is still persists, please re-open this bug.

THanks,
Lukas.

Comment 2 Christian Kujau 2018-04-16 02:20:01 UTC
Yes, use_ecryptfs_home_dirs (and openvpn_enable_homedirs) is enabled, and always has been:

$ getsebool -a | grep home | grep on
openvpn_enable_homedirs --> on
spamd_enable_home_dirs --> on
use_ecryptfs_home_dirs --> on

Comment 3 Christian Kujau 2018-04-16 03:40:42 UTC
While I mentioned that the OpenVPN connection still works, this appears to be only valid for a very simple configuration that is setup here. The interesting part may be:

  auth-user-pass userpass.txt
  ca             ca.crt
  crl-verify     crl.pem

And the AVC is always and only reporting 'denied { write }' for "ca.crt", which is fine because that file should not be written to anyway. And as the "read" appears to succeed, the VPN connection comes up just fine.

However, slightly more elaborate OpenVPN configuration on the same machine does not work:

  ca             ca.crt
  tls-auth       ta.key 1
  pkcs12         cert.p12
  cert           cert.pem

Here, each connection triggers multiple alerts, again complaining about 'denied { write }' for two files (cert.p12 & cert.pem), both considered to be read-only anyway:

type=AVC msg=audit(1523847819.996:40910): avc:  denied  { write } for  pid=1613 comm="nm-openvpn-serv" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e3b9mnKgn34UYLOHN2b-Lsk--/ECRYPTFS_FNEK_ENCRYPTED.FXZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eOzFaLpOKDSc0fP3hZlRKGNqpKDtp7zPNKaY0UfeSfiQ-" dev="nvme0n1p6" ino=1611621518 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0

* comm="nm-openvpn-serv" only complained about cert.p12
* comm="openvpn" complained about both cert.p12 and cert.pem

After a while it gives up and the OpenVPN connection is not coming up. Manually starting the configuration via the commandline (and via sudo) works fine.

Comment 4 Fedora Update System 2018-04-29 13:19:21 UTC
selinux-policy-3.13.1-283.34.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777

Comment 5 Fedora Update System 2018-04-30 14:17:35 UTC
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777

Comment 6 Fedora Update System 2018-05-05 22:27:25 UTC
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Christian Kujau 2018-05-11 01:10:47 UTC
Still happening after upgrading to F28 when connecting to the same VPN profile:


# rpm -q selinux-policy
selinux-policy-3.14.1-24.fc28.noarch

# ausearch -m avc -ts recent 
----
time->Thu May 10 18:08:01 2018
type=AVC msg=audit(1526000881.421:2485): avc:  denied  { write } for  pid=17015 comm="openvpn" path="/home/.ecryptfs/christian/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6ejbCMtS4.IE8efAPRMBaToU--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eQw3bxBTSSxQwXWtJDBJ82---/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6eX0E3TO5Bd-SP2NSondyZfk--/ECRYPTFS_FNEK_ENCRYPTED.FWZFWi8DDjIxIETJF2l-TL1AxLIEtccM-J6e5pLyCx2IpXdCFS0LTyfJvk--" dev="nvme0n1p6" ino=42304 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file permissive=0

Comment 8 Fedora Update System 2018-05-24 14:35:59 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 9 Fedora Update System 2018-05-25 18:42:34 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 10 Fedora Update System 2018-05-26 20:44:25 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.