Using openvpn requires adding SElinux policy

Hi everyone,

I’ve recently setup both Fedora r35 Silverblue as well as Fedora r36 Workstation on my work laptop (I switched because of reasons not pertaining to this topic), and both times I’ve run into the following:

Our company uses OpenVPN as its VPN infrastructure and gives us the necessary key and cert files, as well as a config file.
When I add a VPN connection in the Gnome interface by selecting “import form file” and then selecting the config, the config can be read, but enabling the connection fails.
Looking at the logs I can find out that the problem is insufficient selinux permissions to read the rest of the files, and can create a new module that allows networkmanager to read them. After this, everything works fine.

I have two questions about this:

  • Why is networkmanager able to read the first file but not the rest?
  • While it is easy to fix this problem if you know where to look, I can see many people getting stuck on this step, especially if they are new to linux and selinux. Also it is not a great out of the box experience. Is there a way we could improve this?

Can you post the errors you saw and the steps you took to resolve them?

The error in the interface is a rather nondescript “Could not start the VPN connection” popup (i can’t remember the exact wording and don’t want to trash my setup to reproduce it, sorry ^^’).

When looking at journalctl, this shows up:

May 17 13:59:59 pia audit[74838]: USER_START pid=74838 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
May 17 14:00:02 pia NetworkManager[1292]: <info>  [1652788802.8862] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: starting openvpn
May 17 14:00:02 pia NetworkManager[1292]: <info>  [1652788802.8865] audit: op="connection-activate" uuid="b1da8b12-2bab-4987-9384-c0108f6a3c3b" name="init" pid=73986 uid=1000 result="success"
May 17 14:00:02 pia nm-openvpn[74849]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
May 17 14:00:02 pia audit[74849]: AVC avc:  denied  { open } for  pid=74849 comm="openvpn" path="/home/pickl/.local/share/openvpn/ta.key" dev="dm-0" ino=159356 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
May 17 14:00:02 pia nm-openvpn[74849]: Cannot pre-load keyfile (/home/pickl/.local/share/openvpn/ta.key)
May 17 14:00:02 pia nm-openvpn[74849]: Exiting due to fatal error
May 17 14:00:02 pia NetworkManager[1292]: <warn>  [1652788802.9015] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: dbus: failure: connect-failed (1)
May 17 14:00:02 pia NetworkManager[1292]: <warn>  [1652788802.9016] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: dbus: failure: connect-failed (1)

Fixing this is done by running the audit error through audit2allow, resulting in the following rule:

allow openvpn_t user_home_t:file open;

which can then be added as a module using semodule.

This fixes the problem, but may be too broad a rule. I sadly don’t have the most experience with selinux.

Have you tried placing your key and cert files in ~./cert to circumvent the SELinux issue?

No I haven’t. I can try tomorrow. If that’s the preferred fix I would like to find a way to tell people in the error messages though, because by myself I would never guess to try that. Not really for me (my setup works so far) but for anyone who expects a seamless experience when first setting up their Fedora install :slight_smile: