Well as to how the file had the wrong context, after re-installing F35
on the new SSD, I copied the /etc/openvpn directory from my borg
backup of the old one. On the old machine I was running with selinux
disabled, so maybe it was wrong there also.
/etc/openvpn/client/nbecker8.conf is a hand-edited file. When first
created with e.g., emacs, is there a mechanism to ensure it got the
correct context?
On Thu, Dec 23, 2021 at 2:11 AM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:
>
> On 23/12/2021 13:08, Todd Zullinger wrote:
> > Ed Greshko wrote:
> >> On 22/12/2021 21:26, Neal Becker wrote:
> >>> sudo ls -lZ /etc/openvpn/client
> >>> total 4
> >>> -rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan
> >>> 27 2021 nbecker8.conf
> >>>
> >>> This looks the same as other objects in /etc/openvpn/, so I'm guessing
> >>> it's correctly labeled?
> >>> sudo ls -lZ /etc/openvpn/
> >>> total 16
> >>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26
> >>> Dec 15 14:14 client
> >>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0
> >>> Dec 15 14:14 server
> >> Yes, this actually looks OK.
> >>
> >> You can run
> >>
> >> restorecon -n -v /etc/openvpn/client/nbecker8.conf
> >>
> >> -n don't change any file labels (passive check). To dis‐
> >> play the files whose labels would be changed, add -v.
> >>
> >> It will probably tell you that the selinux context won't be changed.
> >>
> >> So, the question then becomes why the special module is needed.
> > It seems that the selinux context is correct now, but the
> > AVC from Neal's earlier message showed the target file
> > context was fu./sefs_t (lightly re-formatted for clarity):
> >
> >> time->Tue Dec 21 14:10:56 2021 type=AVC ...
> >> avc: denied { open } for pid=120287 comm="openvpn"
> >> path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3" ino=167775
> >> scontext=system_u:system_r:openvpn_t:s0
> >> tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
> > At that time, /etc/openvpn/client/nbecker8.conf had the
> > wrong selinux context (tcontext) which would explain why the
> > openvpn process (scontext) was not allowed to access it.
> >
> >> That would require a bit more troubleshooting. But, it is
> >> too late in my day to advise what that would entail. :-(
> > With luck, that infomation is accurate and useful in:
> > satiating your boundless curiosity, Ed (letting you get on
> > with your day/night); and making selinux ever-so-slightly
> > less random-feeling and vexing for you, Neal. Slightly is
> > all I can manage, as I would never call myself an expert at
> > it. :)
>
> LOL...
>
> I believe you are quite correct when you note the content of the AVC has the
> selinux context for the target to be
>
> tcontext=system_u:object_r:fusefs_t:s0
>
> which would be problematic. And, I admit that I really didn't look at the
> AVC.
>
> But, now I'm even more confused by this thread.
>
> I raised the question about the output of "ls -Z" on the target file in response
> to the question "would be the restorecon command to use". So, unless someone responded
> off-list and Neal ran restorecon against the file how did the context change?
>
> --
> Did 황준호 die?;
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Those who don't understand recursion are doomed to repeat it
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
