Can’t launch OpenVPN on Fedora 32 due to SeLinux preventing access to key

Written by James McDonald

July 10, 2020

Network manager allows you to add certs to an OpenVPN connection but the connection fails with SeLinux enabled

You know it’s seLinux because when you disable seLinux it works

# disable seLinux NM openvpn works
setenforce 0

# enable seLinux NM openvpn fails
setenforce 1

Find the error using ausearch

ausearch -c openvpn
time->Fri Jul 10 11:44:19 2020
type=AVC msg=audit(1594345459.224:436): avc:  denied  { open } for  pid=28723 comm="openvpn" path="/home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key" dev="nvme0n1p4" ino=4266932 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Using audit2allow fails because of the error in the following bug report

https://bugzilla.redhat.com/show_bug.cgi?id=1731135#c1

To allow Network Manager OpenVPN connections to work

Copy the cert into $HOME/.cert/nm-openvpn folder and then point network manager at it

Or relabel the cert as per the redhat bugzilla report

semanage fcontext -a -t home_cert_t /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key
restorecon -v /home/user/GDrive/Toggen/OpenVPN/tgn-ln01-key.key

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...