selinux and openVPN and no log entries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is actually a "multi-part" question.....  I'm on F16 using KDE.

As a regular user I'm attempting to create an openVPN configuration
which uses X.509 certs.  I wanted to place the certs in $HOME/.openVPN
but ran into a problem.  The logs showed the following error:

Jan 15 10:31:51 f16-1 nm-openvpn[2611]: Cannot load certificate file
/home/egreshko/.openVPN/CERT: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO
routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib

After a bunch of head scratching and diagnosing I guessed that it must
have been due to an selinux setting and confirmed this by switching to
"permissive" mode.

There were no log entries for the selinux denial.  I saw in the archives
the pointer to http://danwalsh.livejournal.com/11673.html but running
the suggested "semodule -DB" didn't result in what I expected.  I didn't
get any "usable" error message but these appeared instead.

Jan 15 10:36:05 f16-1 sedispatch: AVC Message for setroubleshoot,
dropping message.

So, I have (I think) 2 questions.....

1.  What would need to be done to have meaningful selinux messages
written to the logs so they can be troubleshot? 

2.  What change could be made to allow the certs to be in $HOME/.openVPN?

Another comment would also be....  Why is the default situation that no
log entries or alerts are created?  Doesn't that obscure the fact that a
selinux issue is preventing something and making it harder to diagnose?

Thanks,
Ed


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux