There is a conflict between SELinux and openVPN connection!

asked 2013-09-09 14:49:43 -0600

nonrea
138 ●4 ●8 ●13

updated 2014-09-28 08:53:18 -0600

mether
7061 ●43 ●67 ●111 https://fedoraproject....

openVPN does not work when selinux is enable; Gnome responds: Activation of network connection failed!? When I click to connect via openVPN, Instantly, Gnome shows above error at the bottom of the desktop.

If I run setenforce 0 as root, then I can connect via openVPN. How should I solve this conflict between openVPN and SELinux permanently?

EDIT: https://ask.fedoraproject.org/upfiles/13787874288142176.png (open this image in your browser)

There is five buttons: Troubleshoot, NotifyAdmin, Details, Ignore, Delete. Here is its details:

SELinux is preventing /usr/sbin/openvpn from open access on the file ~/openvpn_folder/client.crt.
*****  Plugin openvpn (47.5 confidence) suggests  ****************************
If you want to mv client.crt to standard location so that openvpn can have open access. Then you must move the cert file to the ~/.cert directory
Do
# mv ~/openvpn_folder/client.crt ~/.cert
# restorecon -R -v ~/.cert
*****  Plugin openvpn (47.5 confidence) suggests  ****************************
If you want to modify the label on client.crt so that openvpn can have open access on it. Then you must fix it.
Do
# semanage fcontext -a -t home_cert_t ~/openvpn_folder/client.crt
# restorecon -R -v ~/openvpn_folder/client.crt
*****  Plugin catchall (6.38 confidence) suggests  ***************************
If you believe that openvpn should be allowed open access on the client.crt file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                ~/openvpn_folder/client.crt [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           openvpn-2.3.2-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.9.8-300.fc19.x86_64
                              #1 SMP Thu Jun 27 19:24:23 UTC 2013 x86_64 x86_64
Alert Count                   29
First Seen                    2013-09-09 11:50:50 IRDT
Last Seen                     2013-09-10 08:59:38 IRDT

edit retag flag offensive close merge delete

Comments

Just tried this on Fedora 25, worked perfect. Thank you.

jawse ( 2017-06-21 14:20:49 -0600 )edit

add a comment

4

answered 2013-09-10 00:02:34 -0600

nonrea
138 ●4 ●8 ●13

updated 2013-09-10 00:02:54 -0600

More info added; Now. It's working. I run this command: mkdir ~/.cert ; mv ~/*.crt ~/.cert ; restorecon -R -v ~/.cert , But I'd like to know what did restorecon do?!

edit flag offensive delete link

Comments

1

This works because by default, files created in ~/.cert are labeled as home_cert_t . Because the files were created elsewhere, they inherited a different context. After they are moved to ~/.cert/, restorecon simply applies the default label for that path.

randomuser ( 2014-06-03 00:13:43 -0600 )edit

I ran the commands to move the certificate and it still doesnt work.. .times out...

I have created a VM with the latest Mint, imported my VPN config and it worked first time!

Im going nuts with this... can someone shed some light here? Are there any logs I can check to see hwere its failing?

layertwo ( 2016-03-11 02:21:44 -0600 )edit

I'm using Fedora 23 and the above worked for me with a change. The nice thing is you don't have to disable SELINUX. To reiterate the steps:

Create the hidden directory .cert in your home directory. This directory has a special context within SELINUX: mkdir ~/.cert
Use copy (cp) not move for your VPN, .crt and .key files to preserve ownership: cp *.crt ~/.cert and
cp *.key ~/.cert
Make sure files have necessary read permission for root: cd ~/.cert and chmod o+r *
Restore the SELINUX context: cd and
restorecon -R -v ~/.cert

deaddrift ( 2016-03-17 10:51:48 -0600 )edit

thanks for this. Still doesnt work... just sits there trying to connect until it timesout. The same happens for L2TP. Its weird.

On my destination gateway, I can see that it tries to establish a sessiopn (actually a lot of them) the username shows as UNDEF Then it timesout.

I am adamant my gateway and config file are fine as they work first time on other operating system...

Many thanks

layertwo ( 2016-03-18 01:28:15 -0600 )edit

Have you looked at your System Log for messages. That's how I figured out my problem. I'm on a KDE desktop and have a KsystemLog gui tool. I'd expect there is a similar tool on gnome.

Filter the records for the word: openvpn, select all, copy to text editor to view. Then filter for: networkmanager (one word) and do the same. You can read the records better in the editor. Look for errors or clues where things are not working.

What does:ls -Zal show for your ~/.cert directory?

deaddrift ( 2016-03-20 14:52:40 -0600 )edit

add a comment

4

answered 2013-09-09 16:30:43 -0600

sideburns
7723 ●18 ●101 ●146

Make sure that the SELinux troubleshooter, sealert, is installed and is included in your startup programs. Then, when something like this happens, you'll see the icon for it in your Notifications area. Click on it and you'll get the details, including both an option to report this as a bug and instructions on how to tell SELinux to allow this in the future. (If needed, of course, you can always do both.) If you're not sure what to do, edit your question here to show the SELinux denial message and we'll tell you what we'd do if it were our machine.

edit flag offensive delete link

add a comment

3

answered 2014-06-02 16:54:25 -0600

rmariuzzo
71 ●1 ●3 ●9

To fix this run the following commands as root (replace <your-username> with you real username):

semanage fcontext -a -t home_cert_t /home/<your-username>/openvpn_folder/client.crt

After that try again. It is possible you will see similar problem regarding other files such as *.key and/or *.crt. _You should run the same command for any of those file._

Happy VPNing!