So what exactly would be the restorecon command to use here? On Wed, Dec 22, 2021 at 7:27 AM Neal Becker <ndbecker2@xxxxxxxxx> wrote: > > sudo ausearch -c 'openvpn' > > time->Tue Dec 21 14:10:56 2021 > type=AVC msg=audit(1640113856.260:3683): avc: denied { open } for > pid=120287 comm="openvpn" path="/etc/openvpn/client/nbecker8.conf" > dev="nvme0n1p3" ino=167775 scontext=system_u:system_r:openvpn_t:s0 > tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 > > So this tells me the problem was indeed a denial to open that file. > Although I've administered unix/linux systems since 1980's, selinux is > a subject I've not had to learn about until now. > > On Tue, Dec 21, 2021 at 5:16 PM Jonathan Billings <billings@xxxxxxxxxx> wrote: > > > > On Dec 21, 2021, at 14:03, Kevin Becker <kevin@xxxxxxxxxxxxxxx> wrote: > > > > > > Probably selinux. I have these notes for configuring a commercial VPN provider to work. > > > > > > sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn > > > sudo semodule -X 300 -i my-openvpn.pp > > > > Ack! That’s not good advice. That’s basically saying: “whatever broken settings you have currently, let it be allowed” blindly. Is it set so open on can read all files on your file system now? Who knows! Maybe now it’s allowed to sniff your network traffic? You can’t tell! It is the selinux equivalent of just “chmod 777” you see people suggest for file permission problems. > > > > The appropriate first step is to use “restorecon” to relabel the files in /etc. Most likely that would have fixed it. > > > > The “audit2why” command might have mentioned a selinux Boolean or missing setting. > > > > -- > > Jonathan Billings > > _______________________________________________ > > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > > > > -- > Those who don't understand recursion are doomed to repeat it -- Those who don't understand recursion are doomed to repeat it _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure