I’m somewhat convinced that this is a bug, but since the bugzilla says that it’s not intended for support, I figured I’d ask here first:
I’m trying to set up a OpenVPN connection to my employer provided server using NetworkManager. With setenforce 0
everything works, but with setenforce 1
it fails with error “SELinux is preventing openvpn from search access on the directory /.” (full report below).
I found several similar bug reports about people storing their certs in specific directories, but none about openvpn not being able to access /
(i.e., the filesystem root, which is also hard to google). My certificate is stored in ~/.cert
and I think the selinux context is also applied correctly, i.e., directory and cert are tagged as home_cert_t
:
$ ls -Z -d ~/.cert && ls -Z -d ~/.cert/*
unconfined_u:object_r:home_cert_t:s0 /home/lschmelzeisen/.cert
unconfined_u:object_r:home_cert_t:s0 /home/lschmelzeisen/.cert/zdi-ca.crt
Anything else I could have screwed up myself in this regard? Could this be related to running ZFS on root?
Full report:
SELinux is preventing openvpn from search access on the directory /.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that openvpn should be allowed search access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
# semodule -X 300 -i my-openvpn.pp
Additional Information:
Source Context system_u:system_r:openvpn_t:s0
Target Context system_u:object_r:container_file_t:s0:c620,c1021
Target Objects / [ dir ]
Source openvpn
Source Path openvpn
Port <Unknown>
Host razorback
Source RPM Packages
Target RPM Packages filesystem-3.14-3.fc33.x86_64
SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name razorback
Platform Linux razorback 5.10.10-200.fc33.x86_64 #1 SMP Sun
Jan 24 19:58:54 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-01-28 18:05:07 CET
Last Seen 2021-01-28 18:05:07 CET
Local ID 17ac0584-1f97-4b1c-b8c0-775eb790c21a
Raw Audit Messages
type=AVC msg=audit(1611853507.65:1633): avc: denied { search } for pid=67363 comm="openvpn" name="/" dev="zfs" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:container_file_t:s0:c620,c1021 tclass=dir permissive=0
Hash: openvpn,openvpn_t,container_file_t,dir,search