NetworkManager / OpenVPN Certificates

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Sun Dec 25 11:59:52 UTC 2011 

Hi there,

I wanted to ask what the proper location is to store client OpenVPN 
certificates, if any exists.

With SELinux enforcing the targeted policy, the following occurs on 
attempting to connect to a VPN:

type=AVC msg=audit(1324632910.570:383): avc:  denied  { read } for  
pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2 
success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095 
pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" 
subj=system_u:system_r:openvpn_t:s0 key=(null)

When I setenforce 0, the following happens:

type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0 
old_enforcing=1 auid=1000 ses=2
type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1 
success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032 
pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1324633034.039:385): avc:  denied  { read } for  
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1324633034.039:385): avc:  denied  { open } for  
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 
scontext=system_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2 
success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146 
pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" 
subj=system_u:system_r:openvpn_t:s0 key=(null)

For the vanmeeuwen.crt client certificate, there's also a 
vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an 
audit trail (though have the same selinux context).

I have stored the certificates in a directory tree in ~/.openvpn, with 
one directory per VPN connection, BTW, for which I recognize there is no 
separate custom context definition in 
/etc/selinux/targeted/contexts/files/.

Kind regards,

Jeroen van Meeuwen

-- 
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the selinux mailing list