Re: selinux and openVPN and no log entries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/16/2012 04:46 PM, Miroslav Grepl wrote:
> On 01/16/2012 04:55 AM, Ed Greshko wrote:
>> On 01/15/2012 11:13 AM, Ed Greshko wrote:
>>> 2.  What change could be made to allow the certs to be in $HOME/.openVPN?
>> OK.....  After *properly* forming the google search I've done the
>> following....
>>
>> semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
>> restorecon -R -v /home/user/.openVPN
>>
>> So, that is all fixed up....
>>
> Yes, this is also a solution. Or you can move your certs to
>
> /home/user/.cert
>
> which is default location for these certs. I will write a new
> openvpn_selinux man page which will mention it.

OK, good to know. 

This was the first time I've ever needed to setup an openvpn client. 
So, I used the NetworkManager import function.  Since that doesn't
support (or seems not to support) the extraction of certs from a
supplied config file I manually extracted the certs and put them where I
thought would be a logical place for me to remember.

I think I have to find out what component does the "import" and request
that the import function does the extraction and will check that the
chosen destination has the appropriate selinux contexts.

I think that will be the NetworkManager-openvpn package....

>
>
> Also could you look for setroubleshootd_t messages in your 
> /var/log/audit/audit.log?
>
>

I've found the attached set of messages.   They are a few days ago
during testing so I can't recall what the system conditions were at the
time.  But, I hope they are useful to find out why I can't see the alerts.



-- 
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"

type=AVC msg=audit(1326594697.107:98): avc:  denied  { rlimitinh } for  pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594697.107:98): avc:  denied  { siginh } for  pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594697.107:98): avc:  denied  { noatsecure } for  pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594697.107:98): arch=40000003 syscall=11 success=yes exit=0 a0=8d10fb8 a1=8d10658 a2=8d10008 a3=8d10ca8 items=0 ppid=2599 pid=2600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594697.705:99): avc:  denied  { write } for  pid=2600 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594697.705:99): arch=40000003 syscall=5 success=no exit=-13 a0=8ac7888 a1=8002 a2=0 a3=8ac7bb8 items=0 ppid=2599 pid=2600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594807.107:103): avc:  denied  { rlimitinh } for  pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594807.107:103): avc:  denied  { siginh } for  pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594807.107:103): avc:  denied  { noatsecure } for  pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594807.107:103): arch=40000003 syscall=11 success=yes exit=0 a0=8340fb8 a1=8340658 a2=8340008 a3=8340ca8 items=0 ppid=2626 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594807.283:104): avc:  denied  { write } for  pid=2627 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594807.283:104): arch=40000003 syscall=5 success=no exit=-13 a0=8a03888 a1=8002 a2=0 a3=8a03bb8 items=0 ppid=2626 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594961.829:106): avc:  denied  { rlimitinh } for  pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594961.829:106): avc:  denied  { siginh } for  pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594961.829:106): avc:  denied  { noatsecure } for  pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594961.829:106): arch=40000003 syscall=11 success=yes exit=0 a0=86d0fb8 a1=86d0658 a2=86d0008 a3=86d0ca8 items=0 ppid=2663 pid=2664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594963.021:107): avc:  denied  { write } for  pid=2664 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594963.021:107): arch=40000003 syscall=5 success=no exit=-13 a0=8ce5888 a1=8002 a2=0 a3=8ce5bb8 items=0 ppid=2663 pid=2664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux