|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Hi there,I wanted to ask what the proper location is to store client OpenVPN certificates, if any exists.
With SELinux enforcing the targeted policy, the following occurs on attempting to connect to a VPN:
type=AVC msg=audit(1324632910.570:383): avc: denied { read } for pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2 success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095 pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
When I setenforce 0, the following happens:type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0 old_enforcing=1 auid=1000 ses=2 type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032 pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1324633034.039:385): avc: denied { read } for pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1324633034.039:385): avc: denied { open } for pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2 success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146 pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
For the vanmeeuwen.crt client certificate, there's also a vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an audit trail (though have the same selinux context).
I have stored the certificates in a directory tree in ~/.openvpn, with one directory per VPN connection, BTW, for which I recognize there is no separate custom context definition in /etc/selinux/targeted/contexts/files/.
Kind regards, Jeroen van Meeuwen -- Senior Engineer, Kolab Systems AG e: vanmeeuwen at kolabsys.com t: +44 144 340 9500 m: +44 74 2516 3817 w: http://www.kolabsys.com pgp: 9342 BF08 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
[Fedora Users] [Fedora Legacy] [Fedora Desktop] [Big List of Linux Books] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]
