Ed Greshko wrote:
> On 22/12/2021 21:26, Neal Becker wrote:
>> sudo ls -lZ /etc/openvpn/client
>> total 4
>> -rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan
>> 27 2021 nbecker8.conf
>>
>> This looks the same as other objects in /etc/openvpn/, so I'm guessing
>> it's correctly labeled?
>> sudo ls -lZ /etc/openvpn/
>> total 16
>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26
>> Dec 15 14:14 client
>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0
>> Dec 15 14:14 server
>
> Yes, this actually looks OK.
>
> You can run
>
> restorecon -n -v /etc/openvpn/client/nbecker8.conf
>
> -n don't change any file labels (passive check). To dis‐
> play the files whose labels would be changed, add -v.
>
> It will probably tell you that the selinux context won't be changed.
>
> So, the question then becomes why the special module is needed.
It seems that the selinux context is correct now, but the
AVC from Neal's earlier message showed the target file
context was fusefs_t (lightly re-formatted for clarity):
> time->Tue Dec 21 14:10:56 2021 type=AVC ...
> avc: denied { open } for pid=120287 comm="openvpn"
> path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3" ino=167775
> scontext=system_u:system_r:openvpn_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
At that time, /etc/openvpn/client/nbecker8.conf had the
wrong selinux context (tcontext) which would explain why the
openvpn process (scontext) was not allowed to access it.
> That would require a bit more troubleshooting. But, it is
> too late in my day to advise what that would entail. :-(
With luck, that infomation is accurate and useful in:
satiating your boundless curiosity, Ed (letting you get on
with your day/night); and making selinux ever-so-slightly
less random-feeling and vexing for you, Neal. Slightly is
all I can manage, as I would never call myself an expert at
it. :)
The sealert tool can be quite helpful. It will parse the
AVC messages and provide more context about the issue and
offer suggestions on how to resolve them. You can use it as
a GUI tool to browse alerts or from command line with
various options.
With just a little bash magic¹, you can have it parse the
output from your ausearch command:
sealert -a <(sudo ausearch -c 'openvpn')
For file labeling issues, it will generally show you the
command(s) needed to fix them.
¹ which I'm sure zsh can do similarly, if not even more
easily and/or powerfully
--
Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
