fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: selinux and openVPN and no log entries

selinux and openVPN and no log entries

From: Ed Greshko <Ed.Greshko_at_nospam>
Date: Sun Jan 15 2012 - 03:13:01 GMT
To: selinux@lists.fedoraproject.org

This is actually a "multi-part" question..... I'm on F16 using KDE.

As a regular user I'm attempting to create an openVPN configuration
which uses X.509 certs. I wanted to place the certs in $HOME/.openVPN
but ran into a problem. The logs showed the following error:

Jan 15 10:31:51 f16-1 nm-openvpn[2611]: Cannot load certificate file
/home/egreshko/.openVPN/CERT: error:0200100D:system
library:fopen:Permission denied: error:20074002:BIO
routines:FILE_CTRL:system lib: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib

After a bunch of head scratching and diagnosing I guessed that it must
have been due to an selinux setting and confirmed this by switching to
"permissive" mode.

There were no log entries for the selinux denial. I saw in the archives
the pointer to http://danwalsh.livejournal.com/11673.html but running
the suggested "semodule -DB" didn't result in what I expected. I didn't
get any "usable" error message but these appeared instead.

Jan 15 10:36:05 f16-1 sedispatch: AVC Message for setroubleshoot,
dropping message.

So, I have (I think) 2 questions.....

1. What would need to be done to have meaningful selinux messages
written to the logs so they can be troubleshot?

2. What change could be made to allow the certs to be in $HOME/.openVPN?

Another comment would also be.... Why is the default situation that no
log entries or alerts are created? Doesn't that obscure the fact that a
selinux issue is preventing something and making it harder to diagnose?

Thanks,
Ed

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux