Making SELinux play nice with OpenVPN (in NetworkManager)
Solution 1
To restore the OpenVPN policy module, just run the following command on a terminal as root
:
semodule -i /usr/share/selinux/targeted/openvpn.pp.bz2
If for some reason that file is missing (unlikely, but I'm not sure what system-config-selinux
does exactly), reinstall the SELinux policy package and try again:
yum reinstall selinux-policy-targeted
Finally, to permit OpenVPN to read files from your home directory, run this command:
setsebool -P openvpn_enable_homedirs 1
You should also be able to set openvpn_enable_homedirs
in the list of SELinux booleans in the graphical administration tool.
Solution 2
Just meet similar problem in Fedora 18
Look there https://bugzilla.redhat.com/show_bug.cgi?id=555785
Place certificates in right place (from Fedora point of view) ~/.pki and make
restorecon -R -v ~/.pki
for sure
Openvpn now work.
![marsad](https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg?sz=256)
marsad
Updated on September 18, 2022Comments
-
marsad almost 2 years
I have been trying to use OpenVPN to connect to my work network. Using it via the command line works fine:
openvpn user.conf
I haven't bothered to set it up with DNS properly though, and it looks to be a bit of a pain. I'd much rather use it through the network manager like my other VPNs. The problem is this: I store my
user.crt
, along withca.crt
anduser.key
in~/.openvpn/
(which seems like a reasonable place to keep such things. When I try to connect via NetworkManager, it just tells me that the connection has failed. Inspection of/var/logs/messages
reveals the reason: SELinux is enforcing some policy somewhere that stopsopenvpn
from reading my certificates. I tried following all the instructions given by the SELinux troubleshooter, but to no avail.I then, foolishly indeed deleted the openvpn policy from my SELinux config (using the SELinux Management gui, available from the fedora repos). All sorts of hell broke loose (it wouldn't even let it bind a named port anymore).
The problem was pretty urgent, so I've ended up just disabling SELinux for the session (everything works fine with that out of the way). But I'll have to turn it back on again at some point, so my question is this:
How can I first restore my original policy file for openvpn in SELinux, and then second grant openvpn access to certificates in my home directory?
I have also tried the SE Policy Generator tool, but to no apparent avail (it gets stuck on the dialogue where I give the policy a name).
-
marsad over 12 yearsRestoring previous policies works perfectly...
setsebool ...
, however, I tried already. Will post updates tomorrow. -
Patches over 12 years@jelford: If the boolean isn't working then there is a problem with Fedora's SELinux policy. I suggest that you file a bug against
selinux-policy-targeted
.