[Fedora 20] SELinux preventing OpenVpn from working

[kawaiisenpai]

I am in need of some help...

When I try to connect to my VPN in fedora 20 it doesn't work and a SELinux alert pops up.
SELinux is blocking Openvpn from opening a .pem key file stored in my documents that is needed to log into my VPN. I attempted to troubleshoot but the given solutions didnt work. Is there a way to give openvpn permission to open files?

Also here is the log

Code:

SELinux is preventing /usr/sbin/openvpn from 'open' accesses on the file /home/r00t/Documents/RiseupCA.pem.

*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
Then you must move the cert file to the ~/.cert directory
Do
# mv /home/r00t/Documents/RiseupCA.pem ~/.cert
# restorecon -R -v ~/.cert


*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If you want to modify the label on RiseupCA.pem so that openvpn can have open access on it
Then you must fix the labels.
Do
# semanage fcontext -a -t home_cert_t /home/r00t/Documents/RiseupCA.pem
# restorecon -R -v /home/r00t/Documents/RiseupCA.pem


*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that openvpn should be allowed open access on the RiseupCA.pem file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/r00t/Documents/RiseupCA.pem [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openvpn-2.3.2-4.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
                              Dec 17 20:42:32 UTC 2013 x86_64 x86_64
Alert Count                   14
First Seen                    2014-01-01 13:46:12 PST
Last Seen                     2014-01-01 18:51:21 PST
Local ID                      6551e965-9c80-4960-9ff9-93bbe50c505a

Raw Audit Messages
type=AVC msg=audit(1388631081.344:517): avc:  denied  { open } for  pid=9115 comm="openvpn" path="/home/r00t/Documents/RiseupCA.pem" dev="dm-3" ino=5768014 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1388631081.344:517): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffe3c77f6a a1=0 a2=1b6 a3=7fffe3c76290 items=0 ppid=9108 pid=9115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,user_home_t,file,open

[DBelton]

Have you tried doing as it suggested above?

The best course of action would be the first suggestion above

Code:

If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
Then you must move the cert file to the ~/.cert directory
Do
# mv /home/r00t/Documents/RiseupCA.pem ~/.cert
# restorecon -R -v ~/.cert

If you put the .pem file in the folder it suggests, then SELinux will keep the context correct for it without you needing to do anything to SELinux.

I would suggest putting the .pem file in ~/.cert (create the folder if you need to) and then running restorecon on that folder.

[lmm5247]

Have you tried doing as it suggested above?

The best course of action would be the first suggestion above

Code:

If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
Then you must move the cert file to the ~/.cert directory
Do
# mv /home/r00t/Documents/RiseupCA.pem ~/.cert
# restorecon -R -v ~/.cert

If you put the .pem file in the folder it suggests, then SELinux will keep the context correct for it without you needing to do anything to SELinux.

I would suggest putting the .pem file in ~/.cert (create the folder if you need to) and then running restorecon on that folder.

Agreed. I was trying to setup PrivateInternetAccess and encountered this same issue.