Fedora 8: NetworkManager, OpenVPN and SELinux

Christoph Höger choeger at cs.tu-berlin.de
Thu Apr 10 08:56:16 UTC 2008

Am Sonntag, den 06.04.2008, 20:11 -0300 schrieb Pedro Lamarão:
> Hello all.
> I'm experimenting with a VPN connection set up through the 
> NetworkManager panel applet.
> I have all certificate and key files stored in my home directory.
> Trying to start this VPN connection triggers an AVC DENIED.
> host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc: 
> denied  { read } for  pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2 
> ino=2408465 scontext=system_u:system_r:openvpn_t:s0 
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66): 
> arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6 
> a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0 
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" 
> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
> It seems to me that this denial makes complete sense, since OpenVPN 
> should not be reading users' files.
> On the other hand, this NetworkManager configuration functionality 
> should allow users to use their own files -- that is, it seems users are 
> not required to be root and place files in /etc/openvpn.
> Also, most users won't be knowledgeable enough to know how to change 
> file label -- and this would be error prone, if there was ever a full 
> relabel in the filesystem.
> I'll be using all files in /etc/openvpn while this is not sorted out  to 
> exercise NetworkManager.
> --
>   P.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


there is a special SELinux Boolean for that: openvpn_enable_homedirs
You can set this via setsebool or use the SELinux Manager.



More information about the fedora-selinux-list mailing list