Ed Greshko wrote: > On 22/12/2021 21:26, Neal Becker wrote: >> sudo ls -lZ /etc/openvpn/client >> total 4 >> -rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan >> 27 2021 nbecker8.conf >> >> This looks the same as other objects in /etc/openvpn/, so I'm guessing >> it's correctly labeled? >> sudo ls -lZ /etc/openvpn/ >> total 16 >> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26 >> Dec 15 14:14 client >> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0 >> Dec 15 14:14 server > > Yes, this actually looks OK. > > You can run > > restorecon -n -v /etc/openvpn/client/nbecker8.conf > > -n don't change any file labels (passive check). To dis‐ > play the files whose labels would be changed, add -v. > > It will probably tell you that the selinux context won't be changed. > > So, the question then becomes why the special module is needed. It seems that the selinux context is correct now, but the AVC from Neal's earlier message showed the target file context was fusefs_t (lightly re-formatted for clarity): > time->Tue Dec 21 14:10:56 2021 type=AVC ... > avc: denied { open } for pid=120287 comm="openvpn" > path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3" ino=167775 > scontext=system_u:system_r:openvpn_t:s0 > tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 At that time, /etc/openvpn/client/nbecker8.conf had the wrong selinux context (tcontext) which would explain why the openvpn process (scontext) was not allowed to access it. > That would require a bit more troubleshooting. But, it is > too late in my day to advise what that would entail. :-( With luck, that infomation is accurate and useful in: satiating your boundless curiosity, Ed (letting you get on with your day/night); and making selinux ever-so-slightly less random-feeling and vexing for you, Neal. Slightly is all I can manage, as I would never call myself an expert at it. :) The sealert tool can be quite helpful. It will parse the AVC messages and provide more context about the issue and offer suggestions on how to resolve them. You can use it as a GUI tool to browse alerts or from command line with various options. With just a little bash magic¹, you can have it parse the output from your ausearch command: sealert -a <(sudo ausearch -c 'openvpn') For file labeling issues, it will generally show you the command(s) needed to fix them. ¹ which I'm sure zsh can do similarly, if not even more easily and/or powerfully -- Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure