So what exactly would be the restorecon command to use here?
On Wed, Dec 22, 2021 at 7:27 AM Neal Becker <ndbecker2(a)gmail.com> wrote:
sudo ausearch -c 'openvpn'
time->Tue Dec 21 14:10:56 2021
type=AVC msg=audit(1640113856.260:3683): avc: denied { open } for
pid=120287 comm="openvpn" path="/etc/openvpn/client/nbecker8.conf"
dev="nvme0n1p3" ino=167775 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
So this tells me the problem was indeed a denial to open that file.
Although I've administered unix/linux systems since 1980's, selinux is
a subject I've not had to learn about until now.
On Tue, Dec 21, 2021 at 5:16 PM Jonathan Billings <billings(a)negate.org> wrote:
>
> On Dec 21, 2021, at 14:03, Kevin Becker <kevin(a)kevinbecker.org> wrote:
> >
> > Probably selinux. I have these notes for configuring a commercial VPN provider
to work.
> >
> > sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
> > sudo semodule -X 300 -i my-openvpn.pp
>
> Ack! That’s not good advice. That’s basically saying: “whatever broken settings you
have currently, let it be allowed” blindly. Is it set so open on can read all files on
your file system now? Who knows! Maybe now it’s allowed to sniff your network traffic?
You can’t tell! It is the selinux equivalent of just “chmod 777” you see people suggest
for file permission problems.
>
> The appropriate first step is to use “restorecon” to relabel the files in /etc. Most
likely that would have fixed it.
>
> The “audit2why” command might have mentioned a selinux Boolean or missing setting.
>
> --
> Jonathan Billings
> _______________________________________________
> users mailing list -- users(a)lists.fedoraproject.org
> To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Those who don't understand recursion are doomed to repeat it