Ask Your Question

OpenVPN AVC denied on user certificate

asked 2015-12-11 06:08:03 -0500

shimon001 gravatar image

updated 2015-12-17 18:24:29 -0500

mether gravatar image

Hi all, I have created my OpenVPN configuration following my .ovpn file (from my previous OS). However, I am unable to connect through my VPN.

I have checked the audit.log (/var/log/audit/audit.log) and found following message:

type=AVC msg=audit(1449834746.381:764): avc:  denied  { open } for  pid=15599 comm="openvpn" path="/home/USERNAME/Documents/USER_CERTIFICATE.crt" dev="dm-5" ino=10226747 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

The path to the certificate is correct. Permissions to this file are set to:


What is the right way to use user certificate file so that SELinux doesn't deny access to it?

Thanks, shimon

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2015-12-11 11:25:22 -0500

florian gravatar image

updated 2015-12-18 21:38:00 -0500


You will have to change the location of your certificates. SELinux requires them to be placed in /home/USERNAME/.cert or ~/.cert. .cert is a hidden folder in your home directory. Just place all you certificates there and adjust the .opvn file.

edit flag offensive delete link more



Note that you should copy the files there, not move them - or use restorecon. mv carries the existing labels, cp inherits the target labels. @Florian - a quick test on my system shows a new test file in a new ~/.certs to be labeled user_home_t - any references for your answer?

randomuser gravatar imagerandomuser ( 2015-12-12 09:29:46 -0500 )edit

Hi @Florian, thanks for your reply. I have tried this step as well but with no success. I tried to turn off the SELinux and voila - OpenVPN works just fine. I know that it's for sure not the recommended approach. But I spent a lot of time trying to debug this problem with no success.

shimon001 gravatar imageshimon001 ( 2015-12-15 03:03:33 -0500 )edit

@shimon001 : Sorry, I messed up the name of the directory (already corrected in my answer): it is .cert, and not .certs.

florian gravatar imageflorian ( 2015-12-18 21:41:54 -0500 )edit

@randomuser: Sorry, I may not understand your comment correctly: Content of my ~/.cert looks like this: hu-ca.crt, hu-ta.key

florian gravatar imageflorian ( 2015-12-19 10:54:53 -0500 )edit

answered 2015-12-15 08:28:54 -0500

[ ~]$ apropos openvpn
openvpn (8)          - secure IP tunnel daemon.
openvpn_selinux (8)  - Security Enhanced Linux Policy for the openvpn processes
openvpn_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the openvpn_unconfined_script processes
[ ~]$ man openvpn_selinux
[ ~]$ sudo semanage fcontext -l|grep vpn
[sudo] password for 
/etc/openvpn(/.*)?                                 all files          system_u:object_r:openvpn_etc_t:s0 
/etc/openvpn/ipp\.txt                              regular file       system_u:object_r:openvpn_etc_rw_t:s0 
/etc/openvpn/scripts(/.*)?                         all files          system_u:object_r:openvpn_unconfined_script_exec_t:s0 
/etc/rc\.d/init\.d/openvpn                         regular file       system_u:object_r:openvpn_initrc_exec_t:s0 
/opt/cisco-vpnclient/lib/libvpnapi\.so             regular file       system_u:object_r:textrel_shlib_t:s0 
/sbin/vpnc                                         regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/bin/openconnect                               regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/sbin/openvpn                                  regular file       system_u:object_r:openvpn_exec_t:s0 
/usr/sbin/vpnc                                     regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/share/munin/plugins/openvpn                   regular file       system_u:object_r:services_munin_plugin_exec_t:s0 
/var/lib/openvpn(/.*)?                             all files          system_u:object_r:openvpn_var_lib_t:s0 
/var/log/openvpn-status\.log.*                     regular file       system_u:object_r:openvpn_status_t:s0 
/var/log/openvpn.*                                 all files          system_u:object_r:openvpn_var_log_t:s0 
/var/run/openvpn(/.*)?                             all files          system_u:object_r:openvpn_var_run_t:s0 
/var/run/openvpn\.client.*                         regular file       system_u:object_r:openvpn_var_run_t:s0 
/var/run/vpnc(/.*)?                                all files          system_u:object_r:vpnc_var_run_t:s0

Try copying the cert into /etc/openvpn/.

edit flag offensive delete link more

answered 2015-12-18 04:00:24 -0500

PastorDi gravatar image

I also have .ovpn file. I took the data for the certificate, key, and etc. and cut in Kwrite and created 3 file with the .ca, .key, .cert Then copied to the folder /etc/openvpn/ and that's it. Then just set up a connection. After, step by step in pictures:

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2015-12-11 06:08:03 -0500

Seen: 1,863 times

Last updated: Dec 18 '15