Can’t launch OpenVPN on Fedora 32 due to SeLinux preventing access to key

Written by James McDonald

July 10, 2020

Network manager allows you to add certs to an OpenVPN connection but the connection fails with SeLinux enabled

You know it’s seLinux because when you disable seLinux it works

# disable seLinux NM openvpn works
setenforce 0

# enable seLinux NM openvpn fails
setenforce 1

Find the error using ausearch

ausearch -c openvpn
time->Fri Jul 10 11:44:19 2020
type=AVC msg=audit(1594345459.224:436): avc:  denied  { open } for  pid=28723 comm="openvpn" path="/home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key" dev="nvme0n1p4" ino=4266932 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Using audit2allow fails because of the error in the following bug report

https://bugzilla.redhat.com/show_bug.cgi?id=1731135#c1

To allow Network Manager OpenVPN connections to work

Copy the cert into $HOME/.cert/nm-openvpn folder and then point network manager at it

Or relabel the cert as per the redhat bugzilla report

semanage fcontext -a -t home_cert_t /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key
restorecon -v /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…

How to Research a CPU Upgrade

How to Research a CPU Upgrade

Upgrade Time! Doing a lot of VMWare Workstation virtualization to create labs for self-study and training. Finding...