I’ve been using openconnect on F38 for quite a while now. Only recently I started to get a SELinux alert when connecting to a VPN. It does work nonetheless. Is anyone experiencing the same?
Edit: There is an open issue: 2221507 – SELinux is preventing openconnect from read, write access on the chr_file vhost-net.
SELinux is preventing openconnect from 'read, write' accesses on the chr_file vhost-net.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that openconnect should be allowed read write access on the vhost-net chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openconnect' --raw | audit2allow -M my-openconnect
# semodule -X 300 -i my-openconnect.pp
Additional Information:
Source Context system_u:system_r:vpnc_t:s0
Target Context system_u:object_r:vhost_device_t:s0
Target Objects vhost-net [ chr_file ]
Source openconnect
Source Path openconnect
Port <Unknown>
Host *snip*
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.21-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name *snip*
Platform Linux *snip* 6.3.12-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Jul 6 04:05:18 UTC 2023
x86_64
Alert Count 2
First Seen 2023-07-24 09:20:33 CEST
Last Seen 2023-07-24 13:05:16 CEST
Local ID 00b8ec58-080b-405f-9969-e9144e541f00
Raw Audit Messages
type=AVC msg=audit(1690196716.978:315): avc: denied { read write } for pid=20248 comm="openconnect" name="vhost-net" dev="devtmpfs" ino=649 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0
Hash: openconnect,vpnc_t,vhost_device_t,chr_file,read,write