I’ve recently setup both Fedora r35 Silverblue as well as Fedora r36 Workstation on my work laptop (I switched because of reasons not pertaining to this topic), and both times I’ve run into the following:
Our company uses OpenVPN as its VPN infrastructure and gives us the necessary key and cert files, as well as a config file.
When I add a VPN connection in the Gnome interface by selecting “import form file” and then selecting the config, the config can be read, but enabling the connection fails.
Looking at the logs I can find out that the problem is insufficient selinux permissions to read the rest of the files, and can create a new module that allows networkmanager to read them. After this, everything works fine.
I have two questions about this:
Why is networkmanager able to read the first file but not the rest?
While it is easy to fix this problem if you know where to look, I can see many people getting stuck on this step, especially if they are new to linux and selinux. Also it is not a great out of the box experience. Is there a way we could improve this?
The error in the interface is a rather nondescript “Could not start the VPN connection” popup (i can’t remember the exact wording and don’t want to trash my setup to reproduce it, sorry ^^').
When looking at journalctl, this shows up:
May 17 13:59:59 pia audit[74838]: USER_START pid=74838 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
May 17 14:00:02 pia NetworkManager[1292]: <info> [1652788802.8862] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: starting openvpn
May 17 14:00:02 pia NetworkManager[1292]: <info> [1652788802.8865] audit: op="connection-activate" uuid="b1da8b12-2bab-4987-9384-c0108f6a3c3b" name="init" pid=73986 uid=1000 result="success"
May 17 14:00:02 pia nm-openvpn[74849]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
May 17 14:00:02 pia audit[74849]: AVC avc: denied { open } for pid=74849 comm="openvpn" path="/home/pickl/.local/share/openvpn/ta.key" dev="dm-0" ino=159356 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
May 17 14:00:02 pia nm-openvpn[74849]: Cannot pre-load keyfile (/home/pickl/.local/share/openvpn/ta.key)
May 17 14:00:02 pia nm-openvpn[74849]: Exiting due to fatal error
May 17 14:00:02 pia NetworkManager[1292]: <warn> [1652788802.9015] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: dbus: failure: connect-failed (1)
May 17 14:00:02 pia NetworkManager[1292]: <warn> [1652788802.9016] vpn[0x559a8538c870,b1da8b12-2bab-4987-9384-c0108f6a3c3b,"init"]: dbus: failure: connect-failed (1)
Fixing this is done by running the audit error through audit2allow, resulting in the following rule:
allow openvpn_t user_home_t:file open;
which can then be added as a module using semodule.
This fixes the problem, but may be too broad a rule. I sadly don’t have the most experience with selinux.
No I haven’t. I can try tomorrow. If that’s the preferred fix I would like to find a way to tell people in the error messages though, because by myself I would never guess to try that. Not really for me (my setup works so far) but for anyone who expects a seamless experience when first setting up their Fedora install
I know this topic is a bit old, but I had a similar issue, and I wanted to share what worked for me in case it helps someone else.
After running:
sudo ausearch -m avc -c openvpn
I discovered that the issue was related to my home directory. The problem was that I keep my home directory on a separate drive, and I sometimes experiment with different distros. When I switched back to Fedora, I realized that SELinux was having trouble with the existing contexts.
The solution was to relabel my entire home directory because it came from a non-SELinux distro:
sudo restorecon -v ~/.cert/nm-openvpn
This fixed the issue without needing any further actions. So, if you’re switching between distros and encounter similar problems with Fedora or any other SELinux-enabled distro, try relabeling your home directory after switching back, and then resort to more specific solutions if that doesn’t help.
I use Fedora since 1 1/2 year now. I never had this problem. Then, I had to reinstall it on my laptop this week, and suddenly this problem came up. Your steps allowed to fix it. Thank You !!!
Did you check the rules you added to the Selinux policy for security implications?
Post logs here. It might just be a labeling issue. If this is the case, using the right file labels will be the safer option, without adding arbitrary allow rules to a policy.
I see !! Ok, I deleted the previous rule added, the connection show again the message and wont connect. Which log do you want ? The details in the SETroubleshoot ?
I have this in the details (brut audit)
type=AVC msg=audit(1761322939.76:540): avc: denied { open } for pid=11054 comm=“openvpn” path=“/home/dominic/.local/share/networkmanagement/certificates/nm-openvpn/devinci-UDP4-1195-config-ca.pem” dev=“nvme0n1p3” ino=174753 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
EDIT : Dawn ! I fixed the issue following the comment of @vgaetera !
Deleted my OpenVPN Connection, then, did these commands :
But I dont know if is only the first command that fixed it, because after reimporting my OpenVPN connection from file, the certificates are still in the .local folder and not in .cert folder !
Also, the .cert folder did’nt exist, I created it.
Edit 2 : Also, before to do these two commands, I used the one given by @stiky : sudo restorecon -v ~/.local/share/networkmanagement/certificates/nm-openvpn
Maybe I had just to delete and import again my OpenVPN connection after this command ??
Note : when I reinstalled Fedora, I used SaveDesktop app to get back my old desktop (that was also on Fedora 42).
It only shows file context rules for the home_cert_t label. You should really check what the commands do before copy-pasting them. So it was one of the other commands that fixed it.
What did it output?
Since you only used restorecon, this solution is much better than adding arbitrary rules with audit2allow.
