5:59 a.m.
Hi there,
I wanted to ask what the proper location is to store client OpenVPN
certificates, if any exists.
With SELinux enforcing the targeted policy, the following occurs on
attempting to connect to a VPN:
type=AVC msg=audit(1324632910.570:383): avc: denied { read } for
pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2
success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095
pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn"
exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)
When I setenforce 0, the following happens:
type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0
old_enforcing=1 auid=1000 ses=2
type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032
pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1324633034.039:385): avc: denied { read } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1324633034.039:385): avc: denied { open } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2
success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146
pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn"
exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)
For the vanmeeuwen.crt client certificate, there's also a
vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an
audit trail (though have the same selinux context).
I have stored the certificates in a directory tree in ~/.openvpn, with
one directory per VPN connection, BTW, for which I recognize there is no
separate custom context definition in
/etc/selinux/targeted/contexts/files/.
Kind regards,
Jeroen van Meeuwen
--
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
6:51 a.m.
Hi Jeroen,
I'm not quite sure if I'm doing it right, but I have stored my OpenVPN
Client certificate in ~/.pki, it seems there is the only place
besides /etc/pki/ where it can have the proper SELinux context
(home_cert_t in this case) and looks like a sane location to store a
certificate also. :)
Merry Christmas,
Dominic
--
Dominic Hopf
http://dominichopf.de/
Key Fingerprint: A7DF C4FC 07AE 4DDC 5CA0 BD93 AAB0 6019 CA7D 868D
8:06 a.m.
On 2011-12-25 13:51, Dominic Hopf wrote:
Hi Jeroen,
I'm not quite sure if I'm doing it right, but I have stored my
OpenVPN
Client certificate in ~/.pki, it seems there is the only place
besides /etc/pki/ where it can have the proper SELinux context
(home_cert_t in this case) and looks like a sane location to store a
certificate also. :)
That could do the trick, and is not insensible indeed! Thanks for the
pointer.
Merry Christmas,
Kind regards,
Jeroen van Meeuwen
--
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
7:59 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/25/2011 09:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
On 2011-12-25 13:51, Dominic Hopf wrote:
> Hi Jeroen,
>
> I'm not quite sure if I'm doing it right, but I have stored my
> OpenVPN Client certificate in ~/.pki, it seems there is the only
> place besides /etc/pki/ where it can have the proper SELinux
> context (home_cert_t in this case) and looks like a sane location
> to store a certificate also. :)
>
That could do the trick, and is not insensible indeed! Thanks for
the pointer.
Merry Christmas,
Kind regards,
Jeroen van Meeuwen
Proper labeling for certs in the homedir is setup for ~/.pki or ~/.cert
grep home_cert_t /etc/selinux/targeted/modules/active/homedir_template
HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)?
system_u:object_r:home_cert_t:s0
HOME_DIR/\.pki(/.*)? system_u:object_r:home_cert_t:s0
HOME_DIR/\.cert(/.*)? system_u:object_r:home_cert_t:s0
You might need to run restorecon 0n the directories after you create.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk77IMsACgkQrlYvE4MpobOBpgCeKEA4Y0ZEplq4VB/eppIdFq5+
b1gAn1ZmdcL86tPOtznFBXMvF6riMXDc
=KG22
-----END PGP SIGNATURE-----
4496
days inactive
4499
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Daniel J Walsh -
Dominic Hopf -
Jeroen van Meeuwen