On 23/12/2021 13:08, Todd Zullinger wrote:
Ed Greshko wrote:
On 22/12/2021 21:26, Neal Becker wrote:
sudo ls -lZ /etc/openvpn/client
total 4
-rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan
27 2021 nbecker8.conf
This looks the same as other objects in /etc/openvpn/, so I'm guessing
it's correctly labeled?
sudo ls -lZ /etc/openvpn/
total 16
drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26
Dec 15 14:14 client
drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0
Dec 15 14:14 server
Yes, this actually looks OK.
You can run
restorecon -n -v /etc/openvpn/client/nbecker8.conf
-n don't change any file labels (passive check). To dis‐
play the files whose labels would be changed, add -v.
It will probably tell you that the selinux context won't be changed.
So, the question then becomes why the special module is needed.
It seems that the selinux context is correct now, but the
AVC from Neal's earlier message showed the target file
context was fu./sefs_t (lightly re-formatted for clarity):
time->Tue Dec 21 14:10:56 2021 type=AVC ...
avc: denied { open } for pid=120287 comm="openvpn"
path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3" ino=167775
scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
At that time, /etc/openvpn/client/nbecker8.conf had the
wrong selinux context (tcontext) which would explain why the
openvpn process (scontext) was not allowed to access it.
That would require a bit more troubleshooting. But, it is
too late in my day to advise what that would entail. :-(
With luck, that infomation is accurate and useful in:
satiating your boundless curiosity, Ed (letting you get on
with your day/night); and making selinux ever-so-slightly
less random-feeling and vexing for you, Neal. Slightly is
all I can manage, as I would never call myself an expert at
it. :)
LOL...
I believe you are quite correct when you note the content of the AVC has the
selinux context for the target to be
tcontext=system_u:object_r:fusefs_t:s0
which would be problematic. And, I admit that I really didn't look at the
AVC.
But, now I'm even more confused by this thread.
I raised the question about the output of "ls -Z" on the target file in response
to the question "would be the restorecon command to use". So, unless someone responded
off-list and Neal ran restorecon against the file how did the context change?
--
Did 황준호 die?;
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
