Ask Your Question
0

OpenVPN AVC denied on user certificate

asked 2015-12-11 06:08:03 -0500

shimon001 gravatar image

updated 2015-12-17 18:24:29 -0500

mether gravatar image

Hi all, I have created my OpenVPN configuration following my .ovpn file (from my previous OS). However, I am unable to connect through my VPN.

I have checked the audit.log (/var/log/audit/audit.log) and found following message:

type=AVC msg=audit(1449834746.381:764): avc:  denied  { open } for  pid=15599 comm="openvpn" path="/home/USERNAME/Documents/USER_CERTIFICATE.crt" dev="dm-5" ino=10226747 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

The path to the certificate is correct. Permissions to this file are set to:

-rwx------.

What is the right way to use user certificate file so that SELinux doesn't deny access to it?

Thanks, shimon

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
1

answered 2015-12-11 11:25:22 -0500

florian gravatar image

updated 2015-12-18 21:38:00 -0500

Hi,

You will have to change the location of your certificates. SELinux requires them to be placed in /home/USERNAME/.cert or ~/.cert. .cert is a hidden folder in your home directory. Just place all you certificates there and adjust the .opvn file.

edit flag offensive delete link more

Comments

1

Note that you should copy the files there, not move them - or use restorecon. mv carries the existing labels, cp inherits the target labels. @Florian - a quick test on my system shows a new test file in a new ~/.certs to be labeled user_home_t - any references for your answer?

randomuser gravatar imagerandomuser ( 2015-12-12 09:29:46 -0500 )edit

Hi @Florian, thanks for your reply. I have tried this step as well but with no success. I tried to turn off the SELinux and voila - OpenVPN works just fine. I know that it's for sure not the recommended approach. But I spent a lot of time trying to debug this problem with no success.

shimon001 gravatar imageshimon001 ( 2015-12-15 03:03:33 -0500 )edit

@shimon001 : Sorry, I messed up the name of the directory (already corrected in my answer): it is .cert, and not .certs.

florian gravatar imageflorian ( 2015-12-18 21:41:54 -0500 )edit

@randomuser: Sorry, I may not understand your comment correctly: Content of my ~/.cert looks like this: hu-ca.crt, hu-ta.key

florian gravatar imageflorian ( 2015-12-19 10:54:53 -0500 )edit
1

answered 2015-12-15 08:28:54 -0500

[pete@randomuser.org@ruminant ~]$ apropos openvpn
openvpn (8)          - secure IP tunnel daemon.
openvpn_selinux (8)  - Security Enhanced Linux Policy for the openvpn processes
openvpn_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the openvpn_unconfined_script processes
[pete@randomuser.org@ruminant ~]$ man openvpn_selinux
[pete@randomuser.org@ruminant ~]$ sudo semanage fcontext -l|grep vpn
[sudo] password for pete@randomuser.org: 
/etc/openvpn(/.*)?                                 all files          system_u:object_r:openvpn_etc_t:s0 
/etc/openvpn/ipp\.txt                              regular file       system_u:object_r:openvpn_etc_rw_t:s0 
/etc/openvpn/scripts(/.*)?                         all files          system_u:object_r:openvpn_unconfined_script_exec_t:s0 
/etc/rc\.d/init\.d/openvpn                         regular file       system_u:object_r:openvpn_initrc_exec_t:s0 
/opt/cisco-vpnclient/lib/libvpnapi\.so             regular file       system_u:object_r:textrel_shlib_t:s0 
/sbin/vpnc                                         regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/bin/openconnect                               regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/sbin/openvpn                                  regular file       system_u:object_r:openvpn_exec_t:s0 
/usr/sbin/vpnc                                     regular file       system_u:object_r:vpnc_exec_t:s0 
/usr/share/munin/plugins/openvpn                   regular file       system_u:object_r:services_munin_plugin_exec_t:s0 
/var/lib/openvpn(/.*)?                             all files          system_u:object_r:openvpn_var_lib_t:s0 
/var/log/openvpn-status\.log.*                     regular file       system_u:object_r:openvpn_status_t:s0 
/var/log/openvpn.*                                 all files          system_u:object_r:openvpn_var_log_t:s0 
/var/run/openvpn(/.*)?                             all files          system_u:object_r:openvpn_var_run_t:s0 
/var/run/openvpn\.client.*                         regular file       system_u:object_r:openvpn_var_run_t:s0 
/var/run/vpnc(/.*)?                                all files          system_u:object_r:vpnc_var_run_t:s0

Try copying the cert into /etc/openvpn/.

edit flag offensive delete link more
0

answered 2015-12-18 04:00:24 -0500

PastorDi gravatar image

I also have .ovpn file. I took the data for the certificate, key, and etc. and cut in Kwrite and created 3 file with the .ca, .key, .cert Then copied to the folder /etc/openvpn/ and that's it. Then just set up a connection. After, step by step in pictures: http://savepic.net/7478927.htm http://savepic.net/7476879.htm http://savepic.net/7531150.htm http://savepic.net/7527054.htm http://savepic.net/7514766.htm

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-12-11 06:08:03 -0500

Seen: 1,877 times

Last updated: Dec 18 '15