Ask Your Question
4

There is a conflict between SELinux and openVPN connection!

asked 2013-09-09 14:49:43 -0600

nonrea gravatar image

updated 2014-09-28 08:53:18 -0600

mether gravatar image

openVPN does not work when selinux is enable; Gnome responds: Activation of network connection failed!? When I click to connect via openVPN, Instantly, Gnome shows above error at the bottom of the desktop.

If I run setenforce 0 as root, then I can connect via openVPN. How should I solve this conflict between openVPN and SELinux permanently?


EDIT: https://ask.fedoraproject.org/upfiles/13787874288142176.png (open this image in your browser)

There is five buttons: Troubleshoot, NotifyAdmin, Details, Ignore, Delete. Here is its details:

SELinux is preventing /usr/sbin/openvpn from open access on the file ~/openvpn_folder/client.crt.
*****  Plugin openvpn (47.5 confidence) suggests  ****************************
If you want to mv client.crt to standard location so that openvpn can have open access. Then you must move the cert file to the ~/.cert directory
Do
# mv ~/openvpn_folder/client.crt ~/.cert
# restorecon -R -v ~/.cert
*****  Plugin openvpn (47.5 confidence) suggests  ****************************
If you want to modify the label on client.crt so that openvpn can have open access on it. Then you must fix it.
Do
# semanage fcontext -a -t home_cert_t ~/openvpn_folder/client.crt
# restorecon -R -v ~/openvpn_folder/client.crt
*****  Plugin catchall (6.38 confidence) suggests  ***************************
If you believe that openvpn should be allowed open access on the client.crt file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                ~/openvpn_folder/client.crt [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           openvpn-2.3.2-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.9.8-300.fc19.x86_64
                              #1 SMP Thu Jun 27 19:24:23 UTC 2013 x86_64 x86_64
Alert Count                   29
First Seen                    2013-09-09 11:50:50 IRDT
Last Seen                     2013-09-10 08:59:38 IRDT
edit retag flag offensive close merge delete

Comments

Just tried this on Fedora 25, worked perfect. Thank you.

jawse gravatar imagejawse ( 2017-06-21 14:20:49 -0600 )edit

4 Answers

Sort by ยป oldest newest most voted
4

answered 2013-09-10 00:02:34 -0600

nonrea gravatar image

updated 2013-09-10 00:02:54 -0600

More info added; Now. It's working. I run this command: mkdir ~/.cert ; mv ~/*.crt ~/.cert ; restorecon -R -v ~/.cert , But I'd like to know what did restorecon do?!

edit flag offensive delete link more

Comments

1

This works because by default, files created in ~/.cert are labeled as home_cert_t . Because the files were created elsewhere, they inherited a different context. After they are moved to ~/.cert/, restorecon simply applies the default label for that path.

randomuser gravatar imagerandomuser ( 2014-06-03 00:13:43 -0600 )edit

I ran the commands to move the certificate and it still doesnt work.. .times out...

I have created a VM with the latest Mint, imported my VPN config and it worked first time!

Im going nuts with this... can someone shed some light here? Are there any logs I can check to see hwere its failing?

layertwo gravatar imagelayertwo ( 2016-03-11 02:21:44 -0600 )edit

I'm using Fedora 23 and the above worked for me with a change. The nice thing is you don't have to disable SELINUX. To reiterate the steps:

  • Create the hidden directory .cert in your home directory. This directory has a special context within SELINUX: mkdir ~/.cert
  • Use copy (cp) not move for your VPN, .crt and .key files to preserve ownership: cp *.crt ~/.cert and
    cp *.key ~/.cert
  • Make sure files have necessary read permission for root: cd ~/.cert and chmod o+r *
  • Restore the SELINUX context: cd and
    restorecon -R -v ~/.cert
deaddrift gravatar imagedeaddrift ( 2016-03-17 10:51:48 -0600 )edit

thanks for this. Still doesnt work... just sits there trying to connect until it timesout. The same happens for L2TP. Its weird.

On my destination gateway, I can see that it tries to establish a sessiopn (actually a lot of them) the username shows as UNDEF Then it timesout.

I am adamant my gateway and config file are fine as they work first time on other operating system...

Many thanks

layertwo gravatar imagelayertwo ( 2016-03-18 01:28:15 -0600 )edit

Have you looked at your System Log for messages. That's how I figured out my problem. I'm on a KDE desktop and have a KsystemLog gui tool. I'd expect there is a similar tool on gnome.

Filter the records for the word: openvpn, select all, copy to text editor to view. Then filter for: networkmanager (one word) and do the same. You can read the records better in the editor. Look for errors or clues where things are not working.

What does:ls -Zal show for your ~/.cert directory?

deaddrift gravatar imagedeaddrift ( 2016-03-20 14:52:40 -0600 )edit
4

answered 2013-09-09 16:30:43 -0600

sideburns gravatar image

Make sure that the SELinux troubleshooter, sealert, is installed and is included in your startup programs. Then, when something like this happens, you'll see the icon for it in your Notifications area. Click on it and you'll get the details, including both an option to report this as a bug and instructions on how to tell SELinux to allow this in the future. (If needed, of course, you can always do both.) If you're not sure what to do, edit your question here to show the SELinux denial message and we'll tell you what we'd do if it were our machine.

edit flag offensive delete link more
3

answered 2014-06-02 16:54:25 -0600

rmariuzzo gravatar image

To fix this run the following commands as root (replace <your-username> with you real username):

semanage fcontext -a -t home_cert_t /home/<your-username>/openvpn_folder/client.crt

After that try again. It is possible you will see similar problem regarding other files such as *.key and/or *.crt. _You should run the same command for any of those file._

Happy VPNing!

edit flag offensive delete link more
2

answered 2013-09-09 15:30:50 -0600

Jann5s gravatar image

there are some bug reports regarding this topic at bugzilla.redhat.com maybe there is a solution there.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2013-09-09 14:49:43 -0600

Seen: 20,347 times

Last updated: Sep 28 '14