Fedora 8: NetworkManager, OpenVPN and SELinux
Christoph Höger
choeger at cs.tu-berlin.de
Thu Apr 10 08:56:16 UTC 2008
Am Sonntag, den 06.04.2008, 20:11 -0300 schrieb Pedro Lamarão:
> Hello all.
>
> I'm experimenting with a VPN connection set up through the
> NetworkManager panel applet.
>
> I have all certificate and key files stored in my home directory.
>
> Trying to start this VPN connection triggers an AVC DENIED.
>
> host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
> denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
> ino=2408465 scontext=system_u:system_r:openvpn_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
> host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
> arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
> a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
>
> It seems to me that this denial makes complete sense, since OpenVPN
> should not be reading users' files.
>
> On the other hand, this NetworkManager configuration functionality
> should allow users to use their own files -- that is, it seems users are
> not required to be root and place files in /etc/openvpn.
>
> Also, most users won't be knowledgeable enough to know how to change
> file label -- and this would be error prone, if there was ever a full
> relabel in the filesystem.
>
> I'll be using all files in /etc/openvpn while this is not sorted out to
> exercise NetworkManager.
>
> --
> P.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,
there is a special SELinux Boolean for that: openvpn_enable_homedirs
You can set this via setsebool or use the SELinux Manager.
regards
Christoph
More information about the fedora-selinux-list
mailing list