Fedora 8: NetworkManager, OpenVPN and SELinux

Pedro Lamarão pedro.lamarao at mndfck.org
Sun Apr 6 23:11:35 UTC 2008

Hello all.

I'm experimenting with a VPN connection set up through the 
NetworkManager panel applet.

I have all certificate and key files stored in my home directory.

Trying to start this VPN connection triggers an AVC DENIED.

host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc: 
denied  { read } for  pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2 
ino=2408465 scontext=system_u:system_r:openvpn_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66): 
arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6 
a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" 
exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)

It seems to me that this denial makes complete sense, since OpenVPN 
should not be reading users' files.

On the other hand, this NetworkManager configuration functionality 
should allow users to use their own files -- that is, it seems users are 
not required to be root and place files in /etc/openvpn.

Also, most users won't be knowledgeable enough to know how to change 
file label -- and this would be error prone, if there was ever a full 
relabel in the filesystem.

I'll be using all files in /etc/openvpn while this is not sorted out  to 
exercise NetworkManager.


More information about the fedora-selinux-list mailing list