Pedro Lamarão wrote:
Hello all.
I'm experimenting with a VPN connection set up through the
NetworkManager panel applet.
I have all certificate and key files stored in my home directory.
Trying to start this VPN connection triggers an AVC DENIED.
host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
ino=2408465 scontext=system_u:system_r:openvpn_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
It seems to me that this denial makes complete sense, since OpenVPN
should not be reading users' files.
On the other hand, this NetworkManager configuration functionality
should allow users to use their own files -- that is, it seems users are
not required to be root and place files in /etc/openvpn.
Also, most users won't be knowledgeable enough to know how to change
file label -- and this would be error prone, if there was ever a full
relabel in the filesystem.
I'll be using all files in /etc/openvpn while this is not sorted out to
exercise NetworkManager.
What's the state of the openvpn_enable_homedirs boolean on your system?
# getsebool openvpn_enable_homedirs
Paul.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
