Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.setup an openvpn connection using NetworkManager-openvpn plugin 2.start it Actual results: selinux error in the last step Jun 12 23:49:14 pau64 kernel: audit(1181684954.113:31): avc: denied { execute } for pid=22913 comm="nm-openvpn-serv" name="openvpn" dev=dm-0 ino=368376 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:openvpn_exec_t:s0 tclass=file Using the selinux trouble shooting setroubleshoot, this is the detailed report: SELinux is preventing nm-openvpn-serv (NetworkManager_t) "execute" to openvpn (openvpn_exec_t) Detailed Description SELinux denied access requested by nm-openvpn-serv. It is not expected that this access is required by nm-openvpn-serv and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for openvpn, restorecon -v openvpn If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package Additional Information Source Context: system_u:system_r:NetworkManager_t Target Context: system_u:object_r:openvpn_exec_t Target Objects: openvpn [ file ] Affected RPM Packages: Policy RPM: Selinux Enabled: Policy Type: MLS Enabled: Enforcing Mode: Plugin Name: plugins.catchall_file Host Name: Platform: Alert Count: 1 First Seen: dt 12 jun 2007 23:37:43 CEST Last Seen: dt 12 jun 2007 23:37:43 CEST Local ID: f414b04e-bdc5-48d6-ab2a-f6a23e1ecd67 Line Numbers: 1 Expected results: openvpn connection Additional info:
This bug should probably be against selinux-policy.
Fixed in selinux-policy-2.6.4-15
Did someone try this so that I can close this bug?
I opened the bug but cannot find it in testing to try it.
This is probably the same bug as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214556 but ther seems to be no updated package on f7-updates-testing
Hi, the latest update seems to fix the original bug, but still avoids usage. In my case, SELinux denied access on the certs and keys for openvpn. The message is: Jul 1 23:08:53 choeger4 kernel: audit(1183324133.720:6): avc: denied { search } for pid=3903 comm="openvpn" name="home" dev=sda6 ino=3924481 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Jul 1 23:08:53 choeger4 nm-openvpn[3903]: Cannot load certificate file /home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
I don't get any selinux error now, but I have the same problem with the certificate file read permissions: Jul 2 00:34:47 pau64 nm-openvpn[24790]: Cannot load certificate file /home/pau/openvpn/pau_openvpn.crt: error:0200100D:system library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Where are the certificate files stored?
In my home, see the posted log: /home/pau/openvpn/pau_openvpn.crt
Added boolean to allow openvpn to read homedir. selinux-policy-2.6.4-26 setsebool -P openvpn_enable_homedirs=1
That is fine, but, if NetworkManager is personal, not global, shouldn't this be the default option? Otherwise you would use the network config tools to setup openvpn. Nobody will have the certificates in a common directory if they are to be used by NM. I'll give it a shot tonight to see if it works :)
In updates-testing we have selinux-policy-2.6.4-25.fc7 In updates we have selinux-policy-2.6.4-21.fc7. Can you please push selinux-policy-2.6.4-26 to testing?
Hi, selinux-policy-2.6.4-26 still doesn't fix the bug. Even with openvpn_enable_homedirs=1 i got: tcontext=system_u:system_r:openvpn_t:s0 tclass=capability Jul 12 21:17:12 choeger4 kernel: audit(1184267832.707:11): avc: denied { dac_read_search } for pid=3895 comm="openvpn" capability=2 scontext=system_u:system_r:openvpn_t: s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=capability Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Cannot load certificate file /home/choeger/cert2/choeger.crt: error:0200100D:system library:fopen:Permission denied: error:200740 02:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Jul 12 21:17:12 choeger4 nm-openvpn[3895]: Exiting
If you add this rule using audit2allow greop openvpn /var/log/audit/audit.log | audit2allow -M myopenvpn semodule -i myopenvpn Does it work?
Added this fix to selinux-policy-2.6.4-28
Created attachment 159156 [details] all selinux problems I encountered
Created attachment 159157 [details] generated output
Created attachment 159158 [details] selinux module
I needed to repeat the steps some times to get it to work finaly. I hope my attachments will help you.
Fixed in selinux-policy-2.6.4-28
Fixed for me too.
I'm having similar problems in Fedora 9 with SELinux, NetworkManager and OpenVPN Dunno if it needs to be an new bug, or reopened. Thanks, Barry Summary: SELinux is preventing openvpn (openvpn_t) "search" to / (home_root_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by openvpn. It is not expected that this access is required by openvpn and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v '/' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:openvpn_t:s0 Target Context system_u:object_r:home_root_t:s0 Target Objects / [ dir ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host foo.bar.net Source RPM Packages openvpn-2.1-0.26.rc8.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name foo.bar.net Platform Linux foo.bar.net 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 Alert Count 3 First Seen Tue 19 Aug 2008 12:18:00 AM PDT Last Seen Tue 19 Aug 2008 12:54:42 AM PDT Local ID e340c6c6-fb80-44ca-b508-e32a49e7d058 Line Numbers Raw Audit Messages host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc: denied { search } for pid=441 comm="openvpn" name="/" dev=dm-1 ino=2 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc: denied { search } for pid=441 comm="openvpn" name="barry" dev=dm-1 ino=606209 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc: denied { search } for pid=441 comm="openvpn" name="Download" dev=dm-1 ino=606235 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir host=foo.bar.net type=AVC msg=audit(1219132482.809:379): avc: denied { read } for pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
I do not know why your / directory has home_root_t context and I also do not know why you store openvpn files there. But I would suggest to enable the selinux bool openvpn_enable_homedirs and put your openvpn files in your home dir as you probably want to enable the connection as a normal user. regards christoph
My OpenVPN connection files ARE in my home directory, which is not part of the / partition. However, I still had to use 'sudo' to run the OpenVPN command-line version, as I got a permission denied otherwise. But NM gets the SELinux error, with the files in my home dir. Thanks, Barry
If you run your avc's through audit2why avc: denied { read } for pid=441 comm="openvpn" name="bjg.pennysaverusa.net.user.crt" dev=dm-1 ino=1278312 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=foo.bar.net type=SYSCALL msg=audit(1219132482.809:379): arch=40000003 syscall=5 success=yes exit=6 a0=bfde4eae a1=8000 a2=1b6 a3=0 items=0 ppid=435 pid=441 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) Was caused by: The boolean openvpn_enable_homedirs was set incorrectly. Description: Allow openvpn service access to users home directories Allow access by executing: # setsebool -P openvpn_enable_homedirs 1 Did you turn on the boolean? This is also a Fedora 7 bugzilla, please open a new one if you believe you have a new problem.
Sorry, I had missed that. Moving files to /etc/openvpn; it works now. Thanks!