On 01/16/2012 04:46 PM, Miroslav Grepl wrote:
On 01/16/2012 04:55 AM, Ed Greshko wrote:
> On 01/15/2012 11:13 AM, Ed Greshko wrote:
>> 2. What change could be made to allow the certs to be in $HOME/.openVPN?
> OK..... After *properly* forming the google search I've done the
> following....
>
> semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
> restorecon -R -v /home/user/.openVPN
>
> So, that is all fixed up....
>
Yes, this is also a solution. Or you can move your certs to
/home/user/.cert
which is default location for these certs. I will write a new
openvpn_selinux man page which will mention it.
OK, good to know.
This was the first time I've ever needed to setup an openvpn client.
So, I used the NetworkManager import function. Since that doesn't
support (or seems not to support) the extraction of certs from a
supplied config file I manually extracted the certs and put them where I
thought would be a logical place for me to remember.
I think I have to find out what component does the "import" and request
that the import function does the extraction and will check that the
chosen destination has the appropriate selinux contexts.
I think that will be the NetworkManager-openvpn package....
Also could you look for setroubleshootd_t messages in your
/var/log/audit/audit.log?
I've found the attached set of messages. They are a few days ago
during testing so I can't recall what the system conditions were at the
time. But, I hope they are useful to find out why I can't see the alerts.
--
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"