Bug 214556 - SELinux doesn't allow connecting through openvpn
SELinux doesn't allow connecting through openvpn
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Niemueller
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2006-11-08 03:26 EST by Matěj Cepl
Modified: 2018-04-11 04:00 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-18 07:29:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
relevant part of /var/log/audit/audit.log (4.75 KB, text/plain)
2006-11-08 03:26 EST, Matěj Cepl
no flags Details
relevant part of /var/log/messages (3.38 KB, text/plain)
2006-11-08 03:29 EST, Matěj Cepl
no flags Details
excerpt from /var/log/messages (1.31 KB, text/plain)
2008-01-18 05:45 EST, Daniel Challen
no flags Details

  None (edit)
Description Matěj Cepl 2006-11-08 03:26:06 EST
Description of problem:
Numerous SELinux problems with connecting to OpenVPN with Networkmanager applet.
I can connect with service openvpn start without any problem.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.configure and setup OpenVPN in NetworkManager
2.click on the NM icon and select connect to "particular OpenVPN"
Actual results:
get error message "The VPN login failed because the VPN program could not
connect to the VPN server." and setroubleshootd icon gets off saying that there
is an SELinux problem (see attached part of audit.log) and that I should
temporarily fix it with command

setsebool -P NetworkManager_disable_trans=1

next time it happened the command to fix it was

setsebool -P allow_ypbind=1

Run both, but I couldn't get connection.

Expected results:
get connected to OpenVPN

Additional info:
Comment 1 Matěj Cepl 2006-11-08 03:26:07 EST
Created attachment 140634 [details]
relevant part of /var/log/audit/audit.log
Comment 2 Matěj Cepl 2006-11-08 03:29:03 EST
Created attachment 140635 [details]
relevant part of /var/log/messages
Comment 3 Manmathan Kumarathurai 2007-03-28 16:49:35 EDT
Same problem here.
Comment 4 Christoph Höger 2007-05-07 10:20:33 EDT
Same problem here: SELinux denies execute, execute_trans (wondering, what that
means), read on openvpn, node_bind and name_bind for nm-openvpn-serv.
It seems to me, that SELinux Policy should be patched for this.
Comment 5 Christoph Höger 2007-05-14 03:47:58 EDT
Hi @all,

the same problem still occurs in f7t4.
I think its just a missing SELinux policy for the openvpn binary. Could someone
provide one or tell me how to make one?

Comment 6 Daniel Challen 2008-01-18 05:44:13 EST
In my case, on Fedora 8 x86_64 with 
$ rpm -qa NetworkManager\*
I am seeing SELinux denials when openvpn tries to read my X.509 certs in ~/foo
Comment 7 Daniel Challen 2008-01-18 05:45:39 EST
Created attachment 292122 [details]
excerpt from /var/log/messages
Comment 8 Christoph Höger 2008-01-18 05:51:27 EST
The SELinux boolean openvpn_enable_homedirs should fix that.

btw: are you using x509 authentication? There seems to be another issue there.

Could you mail me please, if that works for you (choeger AT cs DOT tu-berlin.de)
Comment 9 Christoph Höger 2008-01-18 05:51:52 EST
Someone can close this bug btw.
Comment 10 Daniel Challen 2008-01-18 06:39:32 EST
Yes, enabling openvpn_enable_homedirs fixed the SELinux denial. Oops, I my case
PEBCAK, not a bug. I am seeing other errors with X.509 certificates, though I
can't find a bugzilla entry for that.
Comment 11 Matěj Cepl 2008-01-18 06:43:58 EST
(In reply to comment #9)
> Someone can close this bug btw.

Tim, its probably you. BTW, if not just for this one, I cannot test this
anymore, because I don't use OpenVPN (unfortunately, I have to use VPNC only
now) anymore.
Comment 12 Tim Niemueller 2008-01-18 07:29:35 EST
Closing this as WORKSFORME. This definitely was a bug but I can't tell when this
was solve in the SELinux policy...

Note You need to log in before you can comment on or make changes to this bug.