sudo ausearch -c 'openvpn'
time->Tue Dec 21 14:10:56 2021
type=AVC msg=audit(1640113856.260:3683): avc: denied { open } for
pid=120287 comm="openvpn" path="/etc/openvpn/client/nbecker8.conf"
dev="nvme0n1p3" ino=167775 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
So this tells me the problem was indeed a denial to open that file.
Although I've administered unix/linux systems since 1980's, selinux is
a subject I've not had to learn about until now.
On Tue, Dec 21, 2021 at 5:16 PM Jonathan Billings <billi...@negate.org> wrote:
>
> On Dec 21, 2021, at 14:03, Kevin Becker <ke...@kevinbecker.org> wrote:
> >
> > Probably selinux. I have these notes for configuring a commercial VPN
> > provider to work.
> >
> > sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
> > sudo semodule -X 300 -i my-openvpn.pp
>
> Ack! That’s not good advice. That’s basically saying: “whatever broken
> settings you have currently, let it be allowed” blindly. Is it set so open on
> can read all files on your file system now? Who knows! Maybe now it’s
> allowed to sniff your network traffic? You can’t tell! It is the selinux
> equivalent of just “chmod 777” you see people suggest for file permission
> problems.
>
> The appropriate first step is to use “restorecon” to relabel the files in
> /etc. Most likely that would have fixed it.
>
> The “audit2why” command might have mentioned a selinux Boolean or missing
> setting.
>
> --
> Jonathan Billings
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
--
Those who don't understand recursion are doomed to repeat it
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
