<---- template headericclude ----->
[Fedora 20] SELinux preventing OpenVpn from working
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 3 of 3
  1. #1
    Join Date
    Jan 2014
    Location
    USA
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Fedora 20] SELinux preventing OpenVpn from working

    I am in need of some help...

    When I try to connect to my VPN in fedora 20 it doesn't work and a SELinux alert pops up.
    SELinux is blocking Openvpn from opening a .pem key file stored in my documents that is needed to log into my VPN. I attempted to troubleshoot but the given solutions didnt work. Is there a way to give openvpn permission to open files?

    Also here is the log

    Code:
    SELinux is preventing /usr/sbin/openvpn from 'open' accesses on the file /home/r00t/Documents/RiseupCA.pem.
    
    *****  Plugin openvpn (47.5 confidence) suggests   ***************************
    
    If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
    Then you must move the cert file to the ~/.cert directory
    Do
    # mv /home/r00t/Documents/RiseupCA.pem ~/.cert
    # restorecon -R -v ~/.cert
    
    
    *****  Plugin openvpn (47.5 confidence) suggests   ***************************
    
    If you want to modify the label on RiseupCA.pem so that openvpn can have open access on it
    Then you must fix the labels.
    Do
    # semanage fcontext -a -t home_cert_t /home/r00t/Documents/RiseupCA.pem
    # restorecon -R -v /home/r00t/Documents/RiseupCA.pem
    
    
    *****  Plugin catchall (6.38 confidence) suggests   **************************
    
    If you believe that openvpn should be allowed open access on the RiseupCA.pem file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
    
    Additional Information:
    Source Context                system_u:system_r:openvpn_t:s0
    Target Context                unconfined_u:object_r:user_home_t:s0
    Target Objects                /home/r00t/Documents/RiseupCA.pem [ file ]
    Source                        openvpn
    Source Path                   /usr/sbin/openvpn
    Port                          <Unknown>
    Host                          (removed)
    Source RPM Packages           openvpn-2.3.2-4.fc20.x86_64
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     (removed)
    Platform                      Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
                                  Dec 17 20:42:32 UTC 2013 x86_64 x86_64
    Alert Count                   14
    First Seen                    2014-01-01 13:46:12 PST
    Last Seen                     2014-01-01 18:51:21 PST
    Local ID                      6551e965-9c80-4960-9ff9-93bbe50c505a
    
    Raw Audit Messages
    type=AVC msg=audit(1388631081.344:517): avc:  denied  { open } for  pid=9115 comm="openvpn" path="/home/r00t/Documents/RiseupCA.pem" dev="dm-3" ino=5768014 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
    
    
    type=SYSCALL msg=audit(1388631081.344:517): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffe3c77f6a a1=0 a2=1b6 a3=7fffe3c76290 items=0 ppid=9108 pid=9115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)
    
    Hash: openvpn,openvpn_t,user_home_t,file,open

  2. #2
    Join Date
    Aug 2009
    Posts
    11,390
    Mentioned
    98 Post(s)
    Tagged
    0 Thread(s)

    Re: [Fedora 20] SELinux preventing OpenVpn from working

    Have you tried doing as it suggested above?

    The best course of action would be the first suggestion above
    Code:
    If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
    Then you must move the cert file to the ~/.cert directory
    Do
    # mv /home/r00t/Documents/RiseupCA.pem ~/.cert
    # restorecon -R -v ~/.cert
    If you put the .pem file in the folder it suggests, then SELinux will keep the context correct for it without you needing to do anything to SELinux.

    I would suggest putting the .pem file in ~/.cert (create the folder if you need to) and then running restorecon on that folder.

  3. #3
    lmm5247 Guest

    Re: [Fedora 20] SELinux preventing OpenVpn from working

    Quote Originally Posted by DBelton
    Have you tried doing as it suggested above?

    The best course of action would be the first suggestion above
    Code:
    If you want to mv RiseupCA.pem to standard location so that openvpn can have open access
    Then you must move the cert file to the ~/.cert directory
    Do
    # mv /home/r00t/Documents/RiseupCA.pem ~/.cert
    # restorecon -R -v ~/.cert
    If you put the .pem file in the folder it suggests, then SELinux will keep the context correct for it without you needing to do anything to SELinux.

    I would suggest putting the .pem file in ~/.cert (create the folder if you need to) and then running restorecon on that folder.
    Agreed. I was trying to setup PrivateInternetAccess and encountered this same issue.

Similar Threads

  1. selinux Preventing VSFTPD
    By Ashish Sood in forum Using Fedora
    Replies: 0
    Last Post: 23rd December 2012, 09:18 AM
  2. SELinux is preventing
    By Blisk in forum Using Fedora
    Replies: 19
    Last Post: 7th June 2011, 06:25 AM
  3. SElinux is preventing...
    By Beralus in forum Security and Privacy
    Replies: 4
    Last Post: 18th November 2008, 09:24 AM
  4. SELinux is preventing...
    By T3256 in forum Security and Privacy
    Replies: 16
    Last Post: 19th October 2008, 04:50 AM
  5. SELinux preventing syslog?
    By pobbz in forum Security and Privacy
    Replies: 2
    Last Post: 23rd July 2006, 09:52 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]