Well as to how the file had the wrong context, after re-installing F35
on the new SSD, I copied the /etc/openvpn directory from my borg
backup of the old one. On the old machine I was running with selinux
disabled, so maybe it was wrong there also.
/etc/openvpn/client/nbecker8.conf is a hand-edited file. When first
created with e.g., emacs, is there a mechanism to ensure it got the
correct context?
On Thu, Dec 23, 2021 at 2:11 AM Ed Greshko <ed.greshko(a)greshko.com> wrote:
On 23/12/2021 13:08, Todd Zullinger wrote:
> Ed Greshko wrote:
>> On 22/12/2021 21:26, Neal Becker wrote:
>>> sudo ls -lZ /etc/openvpn/client
>>> total 4
>>> -rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan
>>> 27 2021 nbecker8.conf
>>>
>>> This looks the same as other objects in /etc/openvpn/, so I'm guessing
>>> it's correctly labeled?
>>> sudo ls -lZ /etc/openvpn/
>>> total 16
>>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26
>>> Dec 15 14:14 client
>>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0
>>> Dec 15 14:14 server
>> Yes, this actually looks OK.
>>
>> You can run
>>
>> restorecon -n -v /etc/openvpn/client/nbecker8.conf
>>
>> -n don't change any file labels (passive check). To dis‐
>> play the files whose labels would be changed, add -v.
>>
>> It will probably tell you that the selinux context won't be changed.
>>
>> So, the question then becomes why the special module is needed.
> It seems that the selinux context is correct now, but the
> AVC from Neal's earlier message showed the target file
> context was fu./sefs_t (lightly re-formatted for clarity):
>
>> time->Tue Dec 21 14:10:56 2021 type=AVC ...
>> avc: denied { open } for pid=120287 comm="openvpn"
>> path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3"
ino=167775
>> scontext=system_u:system_r:openvpn_t:s0
>> tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
> At that time, /etc/openvpn/client/nbecker8.conf had the
> wrong selinux context (tcontext) which would explain why the
> openvpn process (scontext) was not allowed to access it.
>
>> That would require a bit more troubleshooting. But, it is
>> too late in my day to advise what that would entail. :-(
> With luck, that infomation is accurate and useful in:
> satiating your boundless curiosity, Ed (letting you get on
> with your day/night); and making selinux ever-so-slightly
> less random-feeling and vexing for you, Neal. Slightly is
> all I can manage, as I would never call myself an expert at
> it. :)
LOL...
I believe you are quite correct when you note the content of the AVC has the
selinux context for the target to be
tcontext=system_u:object_r:fusefs_t:s0
which would be problematic. And, I admit that I really didn't look at the
AVC.
But, now I'm even more confused by this thread.
I raised the question about the output of "ls -Z" on the target file in
response
to the question "would be the restorecon command to use". So, unless someone
responded
off-list and Neal ran restorecon against the file how did the context change?
--
Did 황준호 die?;
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Those who don't understand recursion are doomed to repeat it