selinux and openVPN and no log entries
Ed Greshko
Ed.Greshko at greshko.com
Sun Jan 15 03:13:01 UTC 2012
This is actually a "multi-part" question..... I'm on F16 using KDE.
As a regular user I'm attempting to create an openVPN configuration
which uses X.509 certs. I wanted to place the certs in $HOME/.openVPN
but ran into a problem. The logs showed the following error:
Jan 15 10:31:51 f16-1 nm-openvpn[2611]: Cannot load certificate file
/home/egreshko/.openVPN/CERT: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO
routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
After a bunch of head scratching and diagnosing I guessed that it must
have been due to an selinux setting and confirmed this by switching to
"permissive" mode.
There were no log entries for the selinux denial. I saw in the archives
the pointer to http://danwalsh.livejournal.com/11673.html but running
the suggested "semodule -DB" didn't result in what I expected. I didn't
get any "usable" error message but these appeared instead.
Jan 15 10:36:05 f16-1 sedispatch: AVC Message for setroubleshoot,
dropping message.
So, I have (I think) 2 questions.....
1. What would need to be done to have meaningful selinux messages
written to the logs so they can be troubleshot?
2. What change could be made to allow the certs to be in $HOME/.openVPN?
Another comment would also be.... Why is the default situation that no
log entries or alerts are created? Doesn't that obscure the fact that a
selinux issue is preventing something and making it harder to diagnose?
Thanks,
Ed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120115/9e7b2bfe/attachment.sig>
More information about the selinux
mailing list