Fedora 8: NetworkManager, OpenVPN and SELinux
Paul Howarth
paul at city-fan.org
Mon Apr 7 09:12:40 UTC 2008
Pedro Lamarão wrote:
> Hello all.
>
> I'm experimenting with a VPN connection set up through the
> NetworkManager panel applet.
>
> I have all certificate and key files stored in my home directory.
>
> Trying to start this VPN connection triggers an AVC DENIED.
>
> host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
> denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
> ino=2408465 scontext=system_u:system_r:openvpn_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
> host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
> arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
> a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
>
> It seems to me that this denial makes complete sense, since OpenVPN
> should not be reading users' files.
>
> On the other hand, this NetworkManager configuration functionality
> should allow users to use their own files -- that is, it seems users are
> not required to be root and place files in /etc/openvpn.
>
> Also, most users won't be knowledgeable enough to know how to change
> file label -- and this would be error prone, if there was ever a full
> relabel in the filesystem.
>
> I'll be using all files in /etc/openvpn while this is not sorted out to
> exercise NetworkManager.
What's the state of the openvpn_enable_homedirs boolean on your system?
# getsebool openvpn_enable_homedirs
Paul.
More information about the users
mailing list