Bug 214556 - SELinux doesn't allow connecting through openvpn
Summary: SELinux doesn't allow connecting through openvpn
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn   
(Show other bugs)
Version: 6
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Tim Niemueller
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-08 08:26 UTC by Matěj Cepl
Modified: 2018-04-11 08:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-18 12:29:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
relevant part of /var/log/audit/audit.log (4.75 KB, text/plain)
2006-11-08 08:26 UTC, Matěj Cepl
no flags Details
relevant part of /var/log/messages (3.38 KB, text/plain)
2006-11-08 08:29 UTC, Matěj Cepl
no flags Details
excerpt from /var/log/messages (1.31 KB, text/plain)
2008-01-18 10:45 UTC, Daniel Challen
no flags Details

Description Matěj Cepl 2006-11-08 08:26:06 UTC
Description of problem:
Numerous SELinux problems with connecting to OpenVPN with Networkmanager applet.
I can connect with service openvpn start without any problem.

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-0.3.2-7.fc6

How reproducible:
100%

Steps to Reproduce:
1.configure and setup OpenVPN in NetworkManager
2.click on the NM icon and select connect to "particular OpenVPN"
3.
  
Actual results:
get error message "The VPN login failed because the VPN program could not
connect to the VPN server." and setroubleshootd icon gets off saying that there
is an SELinux problem (see attached part of audit.log) and that I should
temporarily fix it with command

setsebool -P NetworkManager_disable_trans=1

next time it happened the command to fix it was

setsebool -P allow_ypbind=1

Run both, but I couldn't get connection.

Expected results:
get connected to OpenVPN

Additional info:

Comment 1 Matěj Cepl 2006-11-08 08:26:07 UTC
Created attachment 140634 [details]
relevant part of /var/log/audit/audit.log

Comment 2 Matěj Cepl 2006-11-08 08:29:03 UTC
Created attachment 140635 [details]
relevant part of /var/log/messages

Comment 3 Manmathan Kumarathurai 2007-03-28 20:49:35 UTC
Same problem here.

Comment 4 Christoph Höger 2007-05-07 14:20:33 UTC
Same problem here: SELinux denies execute, execute_trans (wondering, what that
means), read on openvpn, node_bind and name_bind for nm-openvpn-serv.
It seems to me, that SELinux Policy should be patched for this.

Comment 5 Christoph Höger 2007-05-14 07:47:58 UTC
Hi @all,

the same problem still occurs in f7t4.
I think its just a missing SELinux policy for the openvpn binary. Could someone
provide one or tell me how to make one?

regards

Comment 6 Daniel Challen 2008-01-18 10:44:13 UTC
In my case, on Fedora 8 x86_64 with 
$ rpm -qa NetworkManager\*
NetworkManager-0.7.0-0.6.6.svn3138.fc8
NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8
NetworkManager-gnome-0.7.0-0.6.6.svn3138.fc8
NetworkManager-glib-0.7.0-0.6.6.svn3138.fc8
NetworkManager-openvpn-0.7.0-6.svn3169.fc8
I am seeing SELinux denials when openvpn tries to read my X.509 certs in ~/foo

Comment 7 Daniel Challen 2008-01-18 10:45:39 UTC
Created attachment 292122 [details]
excerpt from /var/log/messages

Comment 8 Christoph Höger 2008-01-18 10:51:27 UTC
The SELinux boolean openvpn_enable_homedirs should fix that.

btw: are you using x509 authentication? There seems to be another issue there.

Could you mail me please, if that works for you (choeger AT cs DOT tu-berlin.de)


Comment 9 Christoph Höger 2008-01-18 10:51:52 UTC
Someone can close this bug btw.

Comment 10 Daniel Challen 2008-01-18 11:39:32 UTC
Yes, enabling openvpn_enable_homedirs fixed the SELinux denial. Oops, I my case
PEBCAK, not a bug. I am seeing other errors with X.509 certificates, though I
can't find a bugzilla entry for that.

Comment 11 Matěj Cepl 2008-01-18 11:43:58 UTC
(In reply to comment #9)
> Someone can close this bug btw.

Tim, its probably you. BTW, if not just for this one, I cannot test this
anymore, because I don't use OpenVPN (unfortunately, I have to use VPNC only
now) anymore.

Comment 12 Tim Niemueller 2008-01-18 12:29:35 UTC
Closing this as WORKSFORME. This definitely was a bug but I can't tell when this
was solve in the SELinux policy...


Note You need to log in before you can comment on or make changes to this bug.