Hide Forgot
SELinux is preventing /usr/libexec/nm-openvpn-service from 'getattr' accesses on the file /home/odeda/.local/taboola-vpn/oded.a.pem. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that nm-openvpn-service should be allowed getattr access on the oded.a.pem file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nm-openvpn-serv /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:object_r:gconf_home_t:s0 Target Objects /home/odeda/.local/taboola-vpn/oded.a- key.pem [ file ] Source nm-openvpn-serv Source Path /usr/libexec/nm-openvpn-service Port <Unknown> Host (removed) Source RPM Packages NetworkManager-openvpn-0.8.999-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 28 May 2011 04:23:01 PM IDT Last Seen Sat 28 May 2011 04:23:01 PM IDT Local ID 0b90e045-0a46-4184-b43d-896e9c42b943 Raw Audit Messages type=AVC msg=audit(1306588981.489:1582): avc: denied { getattr } for pid=3845 comm="nm-openvpn-serv" path="/home/odeda/.local/taboola-vpn/oded.a.pem" dev=sda5 ino=2625201 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=file type=SYSCALL msg=audit(1306588981.489:1582): arch=x86_64 syscall=fstat success=yes exit=0 a0=6 a1=7ffffeaf6950 a2=7ffffeaf6950 a3=7ffffeaf66b0 items=0 ppid=3726 pid=3845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-openvpn-serv exe=/usr/libexec/nm-openvpn-service subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: nm-openvpn-serv,NetworkManager_t,gconf_home_t,file,getattr audit2allow #============= NetworkManager_t ============== allow NetworkManager_t gconf_home_t:file getattr; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t gconf_home_t:file getattr;
You should put your personal certificates in ~/.pki ( which is a directory that should have type home_cert_t ) matchpathcon ~/.pki /home/dgrift/.pki staff_u:object_r:home_cert_t:s0 ls -dZ ~/.pki drwxrw----. dgrift dgrift staff_u:object_r:home_cert_t:s0 /home/dgrift/.pki
~/.pki on my system is: $ matchpathcon ~/.pki /home/odeda/.pki unconfined_u:object_r:home_cert_t:s0 $ ls -dZ ~/.pki drwxr-----. odeda users unconfined_u:object_r:user_home_t:s0 /home/odeda/.pki a) How can I set the context correctly b) Why do I need to do that? IMO it places an unacceptable burden on the user to know that they should create a .pki directory for their certificate and to set that to have the correct context.
a) install policycoreutils-restorecond and re-login to your session (once re-logged in please run restorecon -R -v ~ to restore your whole directory) b) Normally you do not need to restore the context manually, restorecond does it for you. However for some reason policycoreutils-restorecond was not installed by default in Fedora 15 which is causing this. As for using ~/.pki, well that is the proper place to put certificates. We dont want to have to allow system services (like vpn) to read (generic) user home content. ~/.pki allows us to only give access to content in that directory. e.g. to read cert_home_t type files.
As Dominick wrote, the default location is ~/.pki for your certs in home directory. If you move a cert from other location to this location, you need to run "restorecon" command to fix a label. # restorecon -R -v ~/.pki Or you could set up the proper label using "chcon" or "semanage" for the current location of your certs. # chcon -t home_cert_t /home/odeda/.local/taboola-vpn/oded.a-
After running restorecon and moving the certificate to ~/.pki, everything works. It might have been a good idea to have this documented somewhere, or better yet - have the NetworkManager's openvpn wizard create the directory, set the correct security context and copy the certificates to it. Currently as it is, to make OpenVPN work in F15 one needs to know how to do all these things and do them manually while the openvpn setup dialog offers the user to use any directory to store there certificates.
I think there is an open Bugzilla on NetworkManager to do exactly this.