Red Hat Bugzilla – Bug 214556
SELinux doesn't allow connecting through openvpn
Last modified: 2018-04-11 04:00:07 EDT
Description of problem:
Numerous SELinux problems with connecting to OpenVPN with Networkmanager applet.
I can connect with service openvpn start without any problem.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.configure and setup OpenVPN in NetworkManager
2.click on the NM icon and select connect to "particular OpenVPN"
get error message "The VPN login failed because the VPN program could not
connect to the VPN server." and setroubleshootd icon gets off saying that there
is an SELinux problem (see attached part of audit.log) and that I should
temporarily fix it with command
setsebool -P NetworkManager_disable_trans=1
next time it happened the command to fix it was
setsebool -P allow_ypbind=1
Run both, but I couldn't get connection.
get connected to OpenVPN
Created attachment 140634 [details]
relevant part of /var/log/audit/audit.log
Created attachment 140635 [details]
relevant part of /var/log/messages
Same problem here.
Same problem here: SELinux denies execute, execute_trans (wondering, what that
means), read on openvpn, node_bind and name_bind for nm-openvpn-serv.
It seems to me, that SELinux Policy should be patched for this.
the same problem still occurs in f7t4.
I think its just a missing SELinux policy for the openvpn binary. Could someone
provide one or tell me how to make one?
In my case, on Fedora 8 x86_64 with
$ rpm -qa NetworkManager\*
I am seeing SELinux denials when openvpn tries to read my X.509 certs in ~/foo
Created attachment 292122 [details]
excerpt from /var/log/messages
The SELinux boolean openvpn_enable_homedirs should fix that.
btw: are you using x509 authentication? There seems to be another issue there.
Could you mail me please, if that works for you (choeger AT cs DOT tu-berlin.de)
Someone can close this bug btw.
Yes, enabling openvpn_enable_homedirs fixed the SELinux denial. Oops, I my case
PEBCAK, not a bug. I am seeing other errors with X.509 certificates, though I
can't find a bugzilla entry for that.
(In reply to comment #9)
> Someone can close this bug btw.
Tim, its probably you. BTW, if not just for this one, I cannot test this
anymore, because I don't use OpenVPN (unfortunately, I have to use VPNC only
Closing this as WORKSFORME. This definitely was a bug but I can't tell when this
was solve in the SELinux policy...