Bug 1733319 - SELIinux failes to activate OpenVPN Policy
Summary: SELIinux failes to activate OpenVPN Policy
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-25 17:03 UTC by mock
Modified: 2019-07-29 11:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-29 11:17:53 UTC
Type: Bug


Attachments (Terms of Use)

Description mock 2019-07-25 17:03:58 UTC
Description of problem:
SELinux fails to activate the policy to allow it to read the certification file.


Version-Release number of selected component (if applicable):
policycoreutils.x86_64 - 2.9-1.fc30


How reproducible:
Consistently


Steps to Reproduce:
1. Build a new Fedora 30 workstation
2. Set up a new OpenVPN connection with existing key and cert files
3. Activate the VPN connection
4. Wait for SELinux to complain about access to any of the files used for the configuration
5. Try the troubleshooing suggestion to add a policy. Watch it throw an error


Actual results:
# ausearch -c 'openvpn' --raw | audit2allow -M openvpn
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i openvpn.pp

# semodule -X 100 -i openvpn.pp 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2



Expected results:
No response from the semodule command.


Additional info:

Comment 1 Zdenek Pytela 2019-07-26 07:05:33 UTC
Hi,

We miss any data about the denial, so we can just suppose the key or cert files are mislabeled. To fix the labels along with the selinux policy, run this command:

  # /sbin/restorecon -v /etc

possibly with changing the path depending on the files reported, or setup the machine to relabel all filesystems on the next reboot:

  # fixfiles onboot

and reboot the system.

If that does not help, please include the output of

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

to display today's AVC messages.

Additionally, for a custom policy module a name different to existing one needs to be used, see:

  # semodule -l | grep openvpn
openvpn

Comment 2 mock 2019-07-29 11:17:53 UTC
Seems using a name other than openvpn was the trick. I changed it to my-openvpn and installed the my-openvpn.pp module successfully.

Thanks for the help on this. I'll keep in mind the name of the policy module should be something customized.


Note You need to log in before you can comment on or make changes to this bug.