FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-25-2011, 10:59 AM
"Jeroen van Meeuwen (Kolab Systems)"
 
Default NetworkManager / OpenVPN Certificates

Hi there,

I wanted to ask what the proper location is to store client OpenVPN
certificates, if any exists.


With SELinux enforcing the targeted policy, the following occurs on
attempting to connect to a VPN:


type=AVC msg=audit(1324632910.570:383): avc: denied { read } for
pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_rpenvpn_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2
success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095
pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_rpenvpn_t:s0 key=(null)


When I setenforce 0, the following happens:

type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0
old_enforcing=1 auid=1000 ses=2
type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032
pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1324633034.039:385): avc: denied { read } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_rpenvpn_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1324633034.039:385): avc: denied { open } for
pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169
scontext=system_u:system_rpenvpn_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2
success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146
pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_rpenvpn_t:s0 key=(null)


For the vanmeeuwen.crt client certificate, there's also a
vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an
audit trail (though have the same selinux context).


I have stored the certificates in a directory tree in ~/.openvpn, with
one directory per VPN connection, BTW, for which I recognize there is no
separate custom context definition in
/etc/selinux/targeted/contexts/files/.


Kind regards,

Jeroen van Meeuwen

--
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-25-2011, 11:51 AM
Dominic Hopf
 
Default NetworkManager / OpenVPN Certificates

Hi Jeroen,

I'm not quite sure if I'm doing it right, but I have stored my OpenVPN
Client certificate in ~/.pki, it seems there is the only place
besides /etc/pki/ where it can have the proper SELinux context
(home_cert_t in this case) and looks like a sane location to store a
certificate also.

Merry Christmas,
Dominic

--
Dominic Hopf
http://dominichopf.de/

Key Fingerprint: A7DF C4FC 07AE 4DDC 5CA0 BD93 AAB0 6019 CA7D 868D
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-25-2011, 01:06 PM
"Jeroen van Meeuwen (Kolab Systems)"
 
Default NetworkManager / OpenVPN Certificates

On 2011-12-25 13:51, Dominic Hopf wrote:

Hi Jeroen,

I'm not quite sure if I'm doing it right, but I have stored my
OpenVPN

Client certificate in ~/.pki, it seems there is the only place
besides /etc/pki/ where it can have the proper SELinux context
(home_cert_t in this case) and looks like a sane location to store a
certificate also.



That could do the trick, and is not insensible indeed! Thanks for the
pointer.


Merry Christmas,

Kind regards,

Jeroen van Meeuwen

--
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-28-2011, 12:59 PM
Daniel J Walsh
 
Default NetworkManager / OpenVPN Certificates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/25/2011 09:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
> On 2011-12-25 13:51, Dominic Hopf wrote:
>> Hi Jeroen,
>>
>> I'm not quite sure if I'm doing it right, but I have stored my
>> OpenVPN Client certificate in ~/.pki, it seems there is the only
>> place besides /etc/pki/ where it can have the proper SELinux
>> context (home_cert_t in this case) and looks like a sane location
>> to store a certificate also.
>>
>
> That could do the trick, and is not insensible indeed! Thanks for
> the pointer.
>
> Merry Christmas,
>
> Kind regards,
>
> Jeroen van Meeuwen
>

Proper labeling for certs in the homedir is setup for ~/.pki or ~/.cert

grep home_cert_t /etc/selinux/targeted/modules/active/homedir_template
HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)?
system_ubject_r:home_cert_t:s0
HOME_DIR/.pki(/.*)? system_ubject_r:home_cert_t:s0
HOME_DIR/.cert(/.*)? system_ubject_r:home_cert_t:s0

You might need to run restorecon 0n the directories after you create.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk77IMsACgkQrlYvE4MpobOBpgCeKEA4Y0ZEpl q4VB/eppIdFq5+
b1gAn1ZmdcL86tPOtznFBXMvF6riMXDc
=KG22
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org