Fedora 8: NetworkManager, OpenVPN and SELinux

Paul Howarth paul at city-fan.org
Mon Apr 7 09:12:40 UTC 2008


Pedro Lamarão wrote:
> Hello all.
> 
> I'm experimenting with a VPN connection set up through the 
> NetworkManager panel applet.
> 
> I have all certificate and key files stored in my home directory.
> 
> Trying to start this VPN connection triggers an AVC DENIED.
> 
> host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc: 
> denied  { read } for  pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2 
> ino=2408465 scontext=system_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66): 
> arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6 
> a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0 
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" 
> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
> 
> It seems to me that this denial makes complete sense, since OpenVPN 
> should not be reading users' files.
> 
> On the other hand, this NetworkManager configuration functionality 
> should allow users to use their own files -- that is, it seems users are 
> not required to be root and place files in /etc/openvpn.
> 
> Also, most users won't be knowledgeable enough to know how to change 
> file label -- and this would be error prone, if there was ever a full 
> relabel in the filesystem.
> 
> I'll be using all files in /etc/openvpn while this is not sorted out  to 
> exercise NetworkManager.

What's the state of the openvpn_enable_homedirs boolean on your system?

# getsebool openvpn_enable_homedirs

Paul.




More information about the users mailing list