Red Hat Bugzilla – Bug 214556
SELinux doesn't allow connecting through openvpn
Last modified: 2018-04-11 04:00:07 EDT
Description of problem: Numerous SELinux problems with connecting to OpenVPN with Networkmanager applet. I can connect with service openvpn start without any problem. Version-Release number of selected component (if applicable): NetworkManager-openvpn-0.3.2-7.fc6 How reproducible: 100% Steps to Reproduce: 1.configure and setup OpenVPN in NetworkManager 2.click on the NM icon and select connect to "particular OpenVPN" 3. Actual results: get error message "The VPN login failed because the VPN program could not connect to the VPN server." and setroubleshootd icon gets off saying that there is an SELinux problem (see attached part of audit.log) and that I should temporarily fix it with command setsebool -P NetworkManager_disable_trans=1 next time it happened the command to fix it was setsebool -P allow_ypbind=1 Run both, but I couldn't get connection. Expected results: get connected to OpenVPN Additional info:
Created attachment 140634 [details] relevant part of /var/log/audit/audit.log
Created attachment 140635 [details] relevant part of /var/log/messages
Same problem here.
Same problem here: SELinux denies execute, execute_trans (wondering, what that means), read on openvpn, node_bind and name_bind for nm-openvpn-serv. It seems to me, that SELinux Policy should be patched for this.
Hi @all, the same problem still occurs in f7t4. I think its just a missing SELinux policy for the openvpn binary. Could someone provide one or tell me how to make one? regards
In my case, on Fedora 8 x86_64 with $ rpm -qa NetworkManager\* NetworkManager-0.7.0-0.6.6.svn3138.fc8 NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8 NetworkManager-gnome-0.7.0-0.6.6.svn3138.fc8 NetworkManager-glib-0.7.0-0.6.6.svn3138.fc8 NetworkManager-openvpn-0.7.0-6.svn3169.fc8 I am seeing SELinux denials when openvpn tries to read my X.509 certs in ~/foo
Created attachment 292122 [details] excerpt from /var/log/messages
The SELinux boolean openvpn_enable_homedirs should fix that. btw: are you using x509 authentication? There seems to be another issue there. Could you mail me please, if that works for you (choeger AT cs DOT tu-berlin.de)
Someone can close this bug btw.
Yes, enabling openvpn_enable_homedirs fixed the SELinux denial. Oops, I my case PEBCAK, not a bug. I am seeing other errors with X.509 certificates, though I can't find a bugzilla entry for that.
(In reply to comment #9) > Someone can close this bug btw. Tim, its probably you. BTW, if not just for this one, I cannot test this anymore, because I don't use OpenVPN (unfortunately, I have to use VPNC only now) anymore.
Closing this as WORKSFORME. This definitely was a bug but I can't tell when this was solve in the SELinux policy...