Description of problem: I have nordvpn openvpn files that used to work when added through the network settings using VPN and +. For a while now, this has not worked. At first I thought my setup was wrong, but now that I have a next level of Fedora (31) it should work. I deleted all the vpn connections I had saved and created a new one. The SELinux error insists on moving the certificate, while the file was imported from the Nordvpn files. So as far as I can see it should work. SELinux is preventing openvpn from 'open' accesses on the file /home/gbonnema/.cert/nm-openvpn/nl79.nordvpn.com.udp-ca.pem. ***** Plugin openvpn (47.5 confidence) suggests *************************** If you want to mv nl79.nordvpn.com.udp-ca.pem to standard location so that openvpn can have open access Then you must move the cert file to the ~/.cert directory Do # mv /home/gbonnema/.cert/nm-openvpn/nl79.nordvpn.com.udp-ca.pem ~/.cert # restorecon -R -v ~/.cert ***** Plugin openvpn (47.5 confidence) suggests *************************** If you want to modify the label on nl79.nordvpn.com.udp-ca.pem so that openvpn can have open access on it Then you must fix the labels. Do # semanage fcontext -a -t home_cert_t /home/gbonnema/.cert/nm-openvpn/nl79.nordvpn.com.udp-ca.pem # restorecon -R -v /home/gbonnema/.cert/nm-openvpn/nl79.nordvpn.com.udp-ca.pem ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that openvpn should be allowed open access on the nl79.nordvpn.com.udp-ca.pem file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn # semodule -X 300 -i my-openvpn.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/gbonnema/.cert/nm- openvpn/nl79.nordvpn.com.udp-ca.pem [ file ] Source openvpn Source Path openvpn Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-40.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.11-300.fc31.x86_64 #1 SMP Tue Nov 12 19:08:07 UTC 2019 x86_64 x86_64 Alert Count 11 First Seen 2019-06-30 18:59:53 CEST Last Seen 2019-11-20 17:51:34 CET Local ID 7c82a1c1-a6be-4f0c-baba-ade3b6b0f9ae Raw Audit Messages type=AVC msg=audit(1574268694.540:336): avc: denied { open } for pid=19877 comm="openvpn" path="/home/gbonnema/.cert/nm-openvpn/nl79.nordvpn.com.udp-ca.pem" dev="md0" ino=17715648 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0 Hash: openvpn,openvpn_t,user_home_t,file,open Version-Release number of selected component: selinux-policy-3.14.4-40.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.3.11-300.fc31.x86_64 type: libreport Potential duplicate: bug 1144504
Hi, Please run: # restorecon -Rv /home/gbonnema/.cert/ To fix labels of cert files. Thanks, Lukas.
Thank you, this solved the problem. The troubleshooting guide did provide an advice like this, but involved moving the file and then only doing a restorecon on that file. This made me think that the software had placed the certificate file wrongly. Apparantly, doing the restorecon on the whole of `.cert` directory was enough. Thank you for your guidance.