selinux and openVPN and no log entries
Ed Greshko
Ed.Greshko at greshko.com
Mon Jan 16 07:45:18 UTC 2012
On 01/16/2012 04:46 PM, Miroslav Grepl wrote:
> On 01/16/2012 04:55 AM, Ed Greshko wrote:
>> On 01/15/2012 11:13 AM, Ed Greshko wrote:
>>> 2. What change could be made to allow the certs to be in $HOME/.openVPN?
>> OK..... After *properly* forming the google search I've done the
>> following....
>>
>> semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
>> restorecon -R -v /home/user/.openVPN
>>
>> So, that is all fixed up....
>>
> Yes, this is also a solution. Or you can move your certs to
>
> /home/user/.cert
>
> which is default location for these certs. I will write a new
> openvpn_selinux man page which will mention it.
OK, good to know.
This was the first time I've ever needed to setup an openvpn client.
So, I used the NetworkManager import function. Since that doesn't
support (or seems not to support) the extraction of certs from a
supplied config file I manually extracted the certs and put them where I
thought would be a logical place for me to remember.
I think I have to find out what component does the "import" and request
that the import function does the extraction and will check that the
chosen destination has the appropriate selinux contexts.
I think that will be the NetworkManager-openvpn package....
>
>
> Also could you look for setroubleshootd_t messages in your
> /var/log/audit/audit.log?
>
>
I've found the attached set of messages. They are a few days ago
during testing so I can't recall what the system conditions were at the
time. But, I hope they are useful to find out why I can't see the alerts.
--
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: audit.txt
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120116/2bff56e7/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120116/2bff56e7/attachment.sig>
More information about the selinux
mailing list