Can’t launch OpenVPN on Fedora 32 due to SeLinux preventing access to key

Written by James McDonald

July 10, 2020

Network manager allows you to add certs to an OpenVPN connection but the connection fails with SeLinux enabled

You know it’s seLinux because when you disable seLinux it works

# disable seLinux NM openvpn works
setenforce 0

# enable seLinux NM openvpn fails
setenforce 1

Find the error using ausearch

ausearch -c openvpn
time->Fri Jul 10 11:44:19 2020
type=AVC msg=audit(1594345459.224:436): avc:  denied  { open } for  pid=28723 comm="openvpn" path="/home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key" dev="nvme0n1p4" ino=4266932 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Using audit2allow fails because of the error in the following bug report

To allow Network Manager OpenVPN connections to work

Copy the cert into $HOME/.cert/nm-openvpn folder and then point network manager at it

Or relabel the cert as per the redhat bugzilla report

semanage fcontext -a -t home_cert_t /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key
restorecon -v /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key


Submit a Comment

Your email address will not be published.

You May Also Like…

List your VSCode Extensions

Ever wondered what extensions you have installed and want to keep a list? This actually is a good way to audit your...

array_merge vs the + operator

<?php $options = [ 'rootNode' => 'response' ]; // array_merge // the same key appearing later will overwrite echo...