FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-15-2012, 02:13 AM
Ed Greshko
 
Default selinux and openVPN and no log entries

This is actually a "multi-part" question..... I'm on F16 using KDE.

As a regular user I'm attempting to create an openVPN configuration
which uses X.509 certs. I wanted to place the certs in $HOME/.openVPN
but ran into a problem. The logs showed the following error:

Jan 15 10:31:51 f16-1 nm-openvpn[2611]: Cannot load certificate file
/home/egreshko/.openVPN/CERT: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO
routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib

After a bunch of head scratching and diagnosing I guessed that it must
have been due to an selinux setting and confirmed this by switching to
"permissive" mode.

There were no log entries for the selinux denial. I saw in the archives
the pointer to http://danwalsh.livejournal.com/11673.html but running
the suggested "semodule -DB" didn't result in what I expected. I didn't
get any "usable" error message but these appeared instead.

Jan 15 10:36:05 f16-1 sedispatch: AVC Message for setroubleshoot,
dropping message.

So, I have (I think) 2 questions.....

1. What would need to be done to have meaningful selinux messages
written to the logs so they can be troubleshot?

2. What change could be made to allow the certs to be in $HOME/.openVPN?

Another comment would also be.... Why is the default situation that no
log entries or alerts are created? Doesn't that obscure the fact that a
selinux issue is preventing something and making it harder to diagnose?

Thanks,
Ed


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-16-2012, 03:55 AM
Ed Greshko
 
Default selinux and openVPN and no log entries

On 01/15/2012 11:13 AM, Ed Greshko wrote:
> 2. What change could be made to allow the certs to be in $HOME/.openVPN?

OK..... After *properly* forming the google search I've done the
following....

semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
restorecon -R -v /home/user/.openVPN

So, that is all fixed up....



--
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-16-2012, 06:45 AM
Ed Greshko
 
Default selinux and openVPN and no log entries

On 01/16/2012 04:46 PM, Miroslav Grepl wrote:
> On 01/16/2012 04:55 AM, Ed Greshko wrote:
>> On 01/15/2012 11:13 AM, Ed Greshko wrote:
>>> 2. What change could be made to allow the certs to be in $HOME/.openVPN?
>> OK..... After *properly* forming the google search I've done the
>> following....
>>
>> semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
>> restorecon -R -v /home/user/.openVPN
>>
>> So, that is all fixed up....
>>
> Yes, this is also a solution. Or you can move your certs to
>
> /home/user/.cert
>
> which is default location for these certs. I will write a new
> openvpn_selinux man page which will mention it.

OK, good to know.

This was the first time I've ever needed to setup an openvpn client.
So, I used the NetworkManager import function. Since that doesn't
support (or seems not to support) the extraction of certs from a
supplied config file I manually extracted the certs and put them where I
thought would be a logical place for me to remember.

I think I have to find out what component does the "import" and request
that the import function does the extraction and will check that the
chosen destination has the appropriate selinux contexts.

I think that will be the NetworkManager-openvpn package....

>
>
> Also could you look for setroubleshootd_t messages in your
> /var/log/audit/audit.log?
>
>

I've found the attached set of messages. They are a few days ago
during testing so I can't recall what the system conditions were at the
time. But, I hope they are useful to find out why I can't see the alerts.



--
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"
type=AVC msg=audit(1326594697.107:98): avc: denied { rlimitinh } for pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594697.107:98): avc: denied { siginh } for pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594697.107:98): avc: denied { noatsecure } for pid=2600 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594697.107:98): arch=40000003 syscall=11 success=yes exit=0 a0=8d10fb8 a1=8d10658 a2=8d10008 a3=8d10ca8 items=0 ppid=2599 pid=2600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594697.705:99): avc: denied { write } for pid=2600 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594697.705:99): arch=40000003 syscall=5 success=no exit=-13 a0=8ac7888 a1=8002 a2=0 a3=8ac7bb8 items=0 ppid=2599 pid=2600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594807.107:103): avc: denied { rlimitinh } for pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594807.107:103): avc: denied { siginh } for pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594807.107:103): avc: denied { noatsecure } for pid=2627 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594807.107:103): arch=40000003 syscall=11 success=yes exit=0 a0=8340fb8 a1=8340658 a2=8340008 a3=8340ca8 items=0 ppid=2626 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594807.283:104): avc: denied { write } for pid=2627 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594807.283:104): arch=40000003 syscall=5 success=no exit=-13 a0=8a03888 a1=8002 a2=0 a3=8a03bb8 items=0 ppid=2626 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594961.829:106): avc: denied { rlimitinh } for pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594961.829:106): avc: denied { siginh } for pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1326594961.829:106): avc: denied { noatsecure } for pid=2664 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1326594961.829:106): arch=40000003 syscall=11 success=yes exit=0 a0=86d0fb8 a1=86d0658 a2=86d0008 a3=86d0ca8 items=0 ppid=2663 pid=2664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1326594963.021:107): avc: denied { write } for pid=2664 comm="setroubleshootd" name="__db.001" dev=dm-1 ino=783812 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326594963.021:107): arch=40000003 syscall=5 success=no exit=-13 a0=8ce5888 a1=8002 a2=0 a3=8ce5bb8 items=0 ppid=2663 pid=2664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-16-2012, 07:46 AM
Miroslav Grepl
 
Default selinux and openVPN and no log entries

On 01/16/2012 04:55 AM, Ed Greshko wrote:

On 01/15/2012 11:13 AM, Ed Greshko wrote:


2. What change could be made to allow the certs to be in $HOME/.openVPN?



OK..... After *properly* forming the google search I've done the
following....

semanage fcontext -a -t home_cert_t "/home/user/.openVPN(/.*)?"
restorecon -R -v /home/user/.openVPN

So, that is all fixed up....



Yes, this is also a solution. Or you can move your certs to



/home/user/.cert



which is default location for these certs. I will write a new
openvpn_selinux man page which will mention it.





Also could you look for setroubleshootd_t messages in your*
/var/log/audit/audit.log?





Regards,

Miroslav











--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-17-2012, 01:16 PM
Ed Greshko
 
Default selinux and openVPN and no log entries

On 01/16/2012 03:45 PM, Ed Greshko wrote:
> I've found the attached set of messages. They are a few days ago
> during testing so I can't recall what the system conditions were at the
> time. But, I hope they are useful to find out why I can't see the alerts.

So, does anyone have any comments on the log entries?

I think there must be a bugzilla waiting to be written....but it would
be nice to know what package it should be written against.

--
A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools. -- Douglas Adams in "Mostly Harmless"

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org