Description of problem: SELinux fails to activate the policy to allow it to read the certification file. Version-Release number of selected component (if applicable): policycoreutils.x86_64 - 2.9-1.fc30 How reproducible: Consistently Steps to Reproduce: 1. Build a new Fedora 30 workstation 2. Set up a new OpenVPN connection with existing key and cert files 3. Activate the VPN connection 4. Wait for SELinux to complain about access to any of the files used for the configuration 5. Try the troubleshooing suggestion to add a policy. Watch it throw an error Actual results: # ausearch -c 'openvpn' --raw | audit2allow -M openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i openvpn.pp # semodule -X 100 -i openvpn.pp Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/openvpn/cil:2 Expected results: No response from the semodule command. Additional info:
Hi, We miss any data about the denial, so we can just suppose the key or cert files are mislabeled. To fix the labels along with the selinux policy, run this command: # /sbin/restorecon -v /etc possibly with changing the path depending on the files reported, or setup the machine to relabel all filesystems on the next reboot: # fixfiles onboot and reboot the system. If that does not help, please include the output of # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today to display today's AVC messages. Additionally, for a custom policy module a name different to existing one needs to be used, see: # semodule -l | grep openvpn openvpn
Seems using a name other than openvpn was the trick. I changed it to my-openvpn and installed the my-openvpn.pp module successfully. Thanks for the help on this. I'll keep in mind the name of the policy module should be something customized.