Linux – SELinux and OpenVPN

openvpnselinux

Having Fedora 20 64-bit installed, I have this old problem of conflicting OpenVPN and SELinux. Obviously SELinux prevents openvpn from launching.

The OpenVPN has been set through Network Connection and I have three files:

user certificate as: cer.pem
CA certificate as: ca.pem
Private key as: key.pem

Some solutions say that I should move certificate files in to ~/.cert and then run:

$ sudo restorecon -R -v ~/.cert

And then SELinux will allow the access to the certificates.

BUT, before I launch openvpn, I had saved these certificates in Documents/certificates folder. Of course when I execute:

$ mv ~/Documents/certificates/cer.pem ~/.cert

The file will be moved to ~/.cert and in Network Connections there would be no certificates.

I've tried to use cp instead of mv but that did not help and still I have this old problem of conflict.

Best Answer

SELinux is disallowing the openvpn executable from accessing files on the filesystem in a specific location. Your best friend for dealing with these is to use the SELinux troubleshooter GUI.

$ sealert -b

ss#1

You'll then want to follow the advice to add the necessary contexts to your filesystem to appease SELinux.

ss #2

NOTE: In the above example I've selected the 2nd option and will run the commands semanage and restorecon as described to fix my issue here. You'll need to do the same for your openvpn issue. It should be identical to what I'm showing in the screenshots.

To fix the issue I ran these commands:

$ sudo semanage fcontext -a -t home_cert_t /home/slm/somedom.com.ca.crt
$ sudo restorecon -R -v /home/slm/somedom.com.ca.crt

References

Related Solutions

selinux – SELinux Re-labeling Problem When Running OpenVPN

I don't have a Fedora system right now to check with, but now that I'm reading this some time later "openvpn" as a name seems kind of generic. To the point where it's possible that the OpenVPN package itself might have a module named that for the type information that it adds when it gets installed. Does this still happen if you give the module a different name? Like openvpn-tun or something?

I'm not 100% sure on the nitty-gritty details (this is basically just a wild guess) but it seems like it would create a conflict if the two modules had the same name. Especially if one module depended on information that was in the other.

EDIT:

Finally got home. Looks like there is a native SELinux module with that name:

[root@localhost test]# cat /etc/fedora-release 
Fedora release 18 (Spherical Cow)
[root@localhost test]# semodule -l | grep openvpn
openvpn 1.11.0

But it looks like I was wrong about how SELinux on Fedora works. It looks like it all comes in under a single policy package for the entire distribution:

[root@localhost modules]# pwd
/etc/selinux/targeted/modules/active/modules
[root@localhost modules]# ls -lh openvpn.pp
-rw-r--r--. 1 root root 12K Jun 27 08:59 openvpn.pp
[root@localhost modules]# rpm -qf $PWD/openvpn.pp
selinux-policy-targeted-3.11.1-98.fc18.noarch

Linux – SELinux not allowing read files on ~/.cert

Target context type of the files is still wrong:

svirt_sandbox_file_t

The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with

restorecon -Rf ~/.cert

or try to force the type:

chcon -t home_cert_t ~/.cert/*

It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.

Best Answer

References

Related Solutions

selinux – SELinux Re-labeling Problem When Running OpenVPN

Linux – SELinux not allowing read files on ~/.cert

Related Question