Bug 1733319 - SELIinux failes to activate OpenVPN Policy
Summary: SELIinux failes to activate OpenVPN Policy
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-25 17:03 UTC by mock
Modified: 2019-07-29 11:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-29 11:17:53 UTC
Type: Bug

Attachments (Terms of Use)

Description mock 2019-07-25 17:03:58 UTC
Description of problem:
SELinux fails to activate the policy to allow it to read the certification file.

Version-Release number of selected component (if applicable):
policycoreutils.x86_64 - 2.9-1.fc30

How reproducible:

Steps to Reproduce:
1. Build a new Fedora 30 workstation
2. Set up a new OpenVPN connection with existing key and cert files
3. Activate the VPN connection
4. Wait for SELinux to complain about access to any of the files used for the configuration
5. Try the troubleshooing suggestion to add a policy. Watch it throw an error

Actual results:
# ausearch -c 'openvpn' --raw | audit2allow -M openvpn
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i openvpn.pp

# semodule -X 100 -i openvpn.pp 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2

Expected results:
No response from the semodule command.

Additional info:

Comment 1 Zdenek Pytela 2019-07-26 07:05:33 UTC

We miss any data about the denial, so we can just suppose the key or cert files are mislabeled. To fix the labels along with the selinux policy, run this command:

  # /sbin/restorecon -v /etc

possibly with changing the path depending on the files reported, or setup the machine to relabel all filesystems on the next reboot:

  # fixfiles onboot

and reboot the system.

If that does not help, please include the output of

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

to display today's AVC messages.

Additionally, for a custom policy module a name different to existing one needs to be used, see:

  # semodule -l | grep openvpn

Comment 2 mock 2019-07-29 11:17:53 UTC
Seems using a name other than openvpn was the trick. I changed it to my-openvpn and installed the my-openvpn.pp module successfully.

Thanks for the help on this. I'll keep in mind the name of the policy module should be something customized.

Note You need to log in before you can comment on or make changes to this bug.