FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-06-2008, 11:11 PM
Pedro Lamarão
 
Default Fedora 8: NetworkManager, OpenVPN and SELinux

Hello all.

I'm experimenting with a VPN connection set up through the
NetworkManager panel applet.


I have all certificate and key files stored in my home directory.

Trying to start this VPN connection triggers an AVC DENIED.

host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
ino=2408465 scontext=system_u:system_rpenvpn_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file


host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
exe="/usr/sbin/openvpn" subj=system_u:system_rpenvpn_t:s0 key=(null)


It seems to me that this denial makes complete sense, since OpenVPN
should not be reading users' files.


On the other hand, this NetworkManager configuration functionality
should allow users to use their own files -- that is, it seems users are
not required to be root and place files in /etc/openvpn.


Also, most users won't be knowledgeable enough to know how to change
file label -- and this would be error prone, if there was ever a full
relabel in the filesystem.


I'll be using all files in /etc/openvpn while this is not sorted out to
exercise NetworkManager.


--
P.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-07-2008, 09:12 AM
Paul Howarth
 
Default Fedora 8: NetworkManager, OpenVPN and SELinux

Pedro Lamarão wrote:

Hello all.

I'm experimenting with a VPN connection set up through the
NetworkManager panel applet.


I have all certificate and key files stored in my home directory.

Trying to start this VPN connection triggers an AVC DENIED.

host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
ino=2408465 scontext=system_u:system_rpenvpn_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file


host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
exe="/usr/sbin/openvpn" subj=system_u:system_rpenvpn_t:s0 key=(null)


It seems to me that this denial makes complete sense, since OpenVPN
should not be reading users' files.


On the other hand, this NetworkManager configuration functionality
should allow users to use their own files -- that is, it seems users are
not required to be root and place files in /etc/openvpn.


Also, most users won't be knowledgeable enough to know how to change
file label -- and this would be error prone, if there was ever a full
relabel in the filesystem.


I'll be using all files in /etc/openvpn while this is not sorted out to
exercise NetworkManager.


What's the state of the openvpn_enable_homedirs boolean on your system?

# getsebool openvpn_enable_homedirs

Paul.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 04-10-2008, 08:56 AM
Christoph Höger
 
Default Fedora 8: NetworkManager, OpenVPN and SELinux

Am Sonntag, den 06.04.2008, 20:11 -0300 schrieb Pedro Lamarão:
> Hello all.
>
> I'm experimenting with a VPN connection set up through the
> NetworkManager panel applet.
>
> I have all certificate and key files stored in my home directory.
>
> Trying to start this VPN connection triggers an AVC DENIED.
>
> host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc:
> denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2
> ino=2408465 scontext=system_u:system_rpenvpn_t:s0
> tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
>
> host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66):
> arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6
> a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn"
> exe="/usr/sbin/openvpn" subj=system_u:system_rpenvpn_t:s0 key=(null)
>
> It seems to me that this denial makes complete sense, since OpenVPN
> should not be reading users' files.
>
> On the other hand, this NetworkManager configuration functionality
> should allow users to use their own files -- that is, it seems users are
> not required to be root and place files in /etc/openvpn.
>
> Also, most users won't be knowledgeable enough to know how to change
> file label -- and this would be error prone, if there was ever a full
> relabel in the filesystem.
>
> I'll be using all files in /etc/openvpn while this is not sorted out to
> exercise NetworkManager.
>
> --
> P.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Hi,

there is a special SELinux Boolean for that: openvpn_enable_homedirs
You can set this via setsebool or use the SELinux Manager.

regards

Christoph

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org