Description of problem: I believe it might be complaining about the openvpn_t type in the compiled file. # ausearch -c 'openvpn' --raw | audit2allow -M openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i openvpn.pp # cat openvpn.te module openvpn 1.0; require { type ssh_home_t; type openvpn_t; class file open; } #============= openvpn_t ============== allow openvpn_t ssh_home_t:file open; # semodule -X 100 -i openvpn.pp Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2 semodule: Failed! SELinux is preventing openvpn from 'open' accesses on the file /home/mock/.ssh/vpn/mock.services.client.crt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that openvpn should be allowed open access on the mock.services.client.crt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn # semodule -X 300 -i my-openvpn.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:ssh_home_t:s0 Target Objects /home/mock/.ssh/vpn/mock.services.client.crt [ file ] Source openvpn Source Path openvpn Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-40.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.1.17-300.fc30.x86_64 #1 SMP Wed Jul 10 15:20:27 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-07-18 08:05:58 EDT Last Seen 2019-07-18 08:05:58 EDT Local ID 54613cdb-6393-480b-8869-c8d549714444 Raw Audit Messages type=AVC msg=audit(1563451558.438:332): avc: denied { open } for pid=17273 comm="openvpn" path="/home/mock/.ssh/vpn/mock.services.client.crt" dev="dm-2" ino=12324298 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file permissive=0 Hash: openvpn,openvpn_t,ssh_home_t,file,open ==================================== When I execute the suggested statements to allow the access, I receive the following error: # ausearch -c 'openvpn' --raw | audit2allow -M openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i openvpn.pp # semodule -X 100 -i openvpn.pp Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2 semodule: Failed! Version-Release number of selected component: selinux-policy-3.14.3-40.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.17-300.fc30.x86_64 type: libreport
Hi Mock, I don't know why you're storing certs in ~/.ssh/ directory, but if you would like to keep it there and make openvpn working, please run following command: # semanage fcontext -a -t cert_t /home/mock/.ssh/vpn/mock.services.client.crt # restorecon -v /home/mock/.ssh/vpn/mock.services.client.crt Thanks, Lukas.
Description of problem: I tried to make a connection to an OpenVPN server using keys and certs I use on other Fedora systems. This is a newFedora 30 build, and I ran into the normal SELinux warnings. When I try to handle the warnings using the Troubleshooting methods, I get the addtional problems: # ausearch -c 'openvpn' --raw | audit2allow -M openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i openvpn.pp # semodule -X 100 -i openvpn.pp Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2 semodule: Failed! I cannot make the necessary adjustments to SELinux to allow the OpenVPN connection. (I have not tried other OpenVPN servers.) I have verified all the SELinux contexts and types are set for the files in question as they are on other systems where the connection is allowed. They all match. Version-Release number of selected component: selinux-policy-3.14.3-41.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.18-300.fc30.x86_64 type: libreport