SELinux is preventing openvpn from search access on the directory /

lschmelzeisen · January 28, 2021, 5:24pm

I’m somewhat convinced that this is a bug, but since the bugzilla says that it’s not intended for support, I figured I’d ask here first:

I’m trying to set up a OpenVPN connection to my employer provided server using NetworkManager. With setenforce 0 everything works, but with setenforce 1 it fails with error “SELinux is preventing openvpn from search access on the directory /.” (full report below).

I found several similar bug reports about people storing their certs in specific directories, but none about openvpn not being able to access / (i.e., the filesystem root, which is also hard to google). My certificate is stored in ~/.cert and I think the selinux context is also applied correctly, i.e., directory and cert are tagged as home_cert_t:

$ ls -Z -d ~/.cert && ls -Z -d ~/.cert/*
unconfined_u:object_r:home_cert_t:s0 /home/lschmelzeisen/.cert
unconfined_u:object_r:home_cert_t:s0 /home/lschmelzeisen/.cert/zdi-ca.crt

Anything else I could have screwed up myself in this regard? Could this be related to running ZFS on root?

Full report:

SELinux is preventing openvpn from search access on the directory /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed search access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
# semodule -X 300 -i my-openvpn.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:container_file_t:s0:c620,c1021
Target Objects                / [ dir ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          razorback
Source RPM Packages           
Target RPM Packages           filesystem-3.14-3.fc33.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     razorback
Platform                      Linux razorback 5.10.10-200.fc33.x86_64 #1 SMP Sun
                              Jan 24 19:58:54 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-01-28 18:05:07 CET
Last Seen                     2021-01-28 18:05:07 CET
Local ID                      17ac0584-1f97-4b1c-b8c0-775eb790c21a

Raw Audit Messages
type=AVC msg=audit(1611853507.65:1633): avc:  denied  { search } for  pid=67363 comm="openvpn" name="/" dev="zfs" ino=34 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:container_file_t:s0:c620,c1021 tclass=dir permissive=0


Hash: openvpn,openvpn_t,container_file_t,dir,search

vgaetera · January 28, 2021, 7:50pm

Try to fix all SELinux labels, this may take some time:

sudo fixfiles -F onboot
sudo systemctl reboot

If the issue persists, post your connection config:

PAGER= nmcli connection show id VPN_CON

youtubezombie · January 28, 2021, 9:37pm

https://fedoramagazine.org/troubleshooting-selinux/

lschmelzeisen · January 29, 2021, 10:35am

This did indeed fix it. Thanks to both of you! Next time, I will now how to troubleshoot SELinux a bit better.

system · February 26, 2021, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.