So I was trying to connect to protonvpn service but couldn’t for some reason. Neither through gui, cli, or importing .ovpn configuration file to network manager directly. Soon I discovered en error that looked like this:
A quick search lead me to believe that it might be something to do with selinux. The fact that protonvpn clients connected to proton servers if I set setenforce permissive confirmed suspicions. Which lead me into a selinux rabbit hole and I wonder if anyone here could help me out understand whats going on here.
Later I learned about selinux labels(or whatever) and that openvpn can read certificates from specific folders(e.g. .cert) only in home folder, that have specific selinux labels(home_cert_t). I noticed that ~/.cert gets created like this
If I make a module from that entry with audit2allow and install it with semodules -i then protonvpn clients start working. Another thing I noticed is that i need both, the module and sudo resstorecon -R ~/.cert command for protonvpn clients to work.
Maybe someone here has an idea of what could be wrong here. Why doesn’t protonvpn/openvpn work here out of the box without all this tinkering? Is there a better way to make it work?
Not sure, but my opinion maybe it’s because related to external services that connect deeply to the system networking.
If I think about vpn that directly connected to system network instead of specific app like browser, it means all our traffic including all command in terminal like dnf install it will go through those connection. And it’s bad for securities if all those kinds is allowed by default.
Maybe the maintener leave this to the user to add the trust manually.
Well the command sudo restorecon -R ~/.cert re-added home_cert_t to ~/.cert recursively and new files under had it also thereafter but I still got the cannot pre-load keyfile error and the denied search entry in audit.log. Does chcon command do something different/extra?
I stumbled upon this during my roubleshooting and after generating a module file with audit2allow as well as installing it with semodule -i it started working. It’s just that I was wondering about how good or bad this solution is because I don’t know selinux. And maybe there’s a simpler way to make it work.
Had the similar issue. Thank you for pointing me to selinux, wouldn’t have solved it for myself without this thread.
One way to make the permissive policy to stay is to set SELINUX=enforcing at /etc/sysconfig/selinux to permissive, as instructed in the file. I was able to log into the VPN after I did that.
Having tried out the CInnamon spin, which has SELinux Alert Browser downloaded by Default, I set the config back to enforcing and followed the instructions when the Alert Browser notified me of the “problem”.