Description of problem: Hello, I try to setup a openvpn client using kde-plasma-networkmanagement as non-root user and I put the openvpn files: ca.crt host.crt host.key ta.key in ~/Profiles/openvpn but selinux denies the openvpn access with two AVCs 1.- type=AVC msg=audit(1291655409.306:28134): avc: denied { read } for pid=5671 comm="openvpn" name="host.crt" dev=dm-7 ino=1177596 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file I fixed with: sudo semanage fcontext -a --seuser system_u -t openvpn_etc_t '/home/user/Profiles/openvpn(/.*)?' sudo restorecon -RFv /home/gabriel/Profiles/openvpn 2.- type=AVC msg=audit(1291260835.088:27263): avc: denied { search } for pid=3302 comm="openvpn" name="Profiles" dev=dm-7 ino=1175082 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir and the above AVC I fixed generating a selinux module via audit2allow Version-Release number of selected component (if applicable): kde-plasma-networkmanagement-0.9-0.28.20101011.fc14.i686 knetworkmanager-openvpn-0.9-0.28.20101011.fc14.i686 NetworkManager-openvpn-0.8.1-1.fc14.i686 openvpn-2.1.1-2.fc13.i686 selinux-policy-targeted-3.9.7-14.fc14.noarch How reproducible: always Steps to Reproduce: 1. try to setup a openvpn client via kde-plasma-networkmanagement with the certs and key files in a user home dir 2. 3. Actual results: no openvpn connection will be initiated because selinux denies openvpn access to the files in the home dir Expected results: a working openvpn connection Additional info: I suppose which creating a openvpn_usercerts_t selinux type or something like that and designate a directory under /home/user where to put the certs files will be sufficient, because seems openvpn_t can read user_home_dir_t but not user_home_t thanks, Gabriel
~/.cert or ~/.pki are labeled for this purpose. Miroslav can you change user_read_home_certs to use userdom_search_user_home_content($1) That way it can search any directory in ~ for home_cert_t.
thanks, ~/.pki/openvpn/ directory with the certs and keys worked just fine. thanks again, Gabriel
Fixed in selinux-policy-3.9.7-16.fc14
selinux-policy-3.9.7-16.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14
selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14
selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 475024 [details] bug report from SELinux policy problem tool I just hit this with: selinux-policy-targeted-3.9.7-20.fc14.noarch I'll attach the report it generated.
Andrew the problem you have is the file is labeled incorrectly. it should be home_cert_t. Where is newca.crt located?