This is actually a "multi-part" question..... I'm on F16 using KDE. As a regular user I'm attempting to create an openVPN configuration which uses X.509 certs. I wanted to place the certs in $HOME/.openVPN but ran into a problem. The logs showed the following error: Jan 15 10:31:51 f16-1 nm-openvpn[2611]: Cannot load certificate file /home/egreshko/.openVPN/CERT: error:0200100D:system library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib After a bunch of head scratching and diagnosing I guessed that it must have been due to an selinux setting and confirmed this by switching to "permissive" mode. There were no log entries for the selinux denial. I saw in the archives the pointer to http://danwalsh.livejournal.com/11673.html but running the suggested "semodule -DB" didn't result in what I expected. I didn't get any "usable" error message but these appeared instead. Jan 15 10:36:05 f16-1 sedispatch: AVC Message for setroubleshoot, dropping message. So, I have (I think) 2 questions..... 1. What would need to be done to have meaningful selinux messages written to the logs so they can be troubleshot? 2. What change could be made to allow the certs to be in $HOME/.openVPN? Another comment would also be.... Why is the default situation that no log entries or alerts are created? Doesn't that obscure the fact that a selinux issue is preventing something and making it harder to diagnose? Thanks, Ed
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
