Re: openvpn-client@nbecker8 won't start

On 23/12/2021 13:08, Todd Zullinger wrote: > Ed Greshko wrote: >> On 22/12/2021 21:26, Neal Becker wrote: >>> sudo ls -lZ /etc/openvpn/client >>> total 4 >>> -rw-r--r--. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 3533 Jan >>> 27 2021 nbecker8.conf >>> >>> This looks the same as other objects in /etc/openvpn/, so I'm guessing >>> it's correctly labeled? >>> sudo ls -lZ /etc/openvpn/ >>> total 16 >>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 26 >>> Dec 15 14:14 client >>> drwxr-x---. 1 root openvpn system_u:object_r:openvpn_etc_t:s0 0 >>> Dec 15 14:14 server >> Yes, this actually looks OK. >> >> You can run >> >> restorecon -n -v /etc/openvpn/client/nbecker8.conf >> >> -n don't change any file labels (passive check). To dis‐ >> play the files whose labels would be changed, add -v. >> >> It will probably tell you that the selinux context won't be changed. >> >> So, the question then becomes why the special module is needed. > It seems that the selinux context is correct now, but the > AVC from Neal's earlier message showed the target file > context was fu./sefs_t (lightly re-formatted for clarity): > >> time->Tue Dec 21 14:10:56 2021 type=AVC ... >> avc: denied { open } for pid=120287 comm="openvpn" >> path="/etc/openvpn/client/nbecker8.conf" dev="nvme0n1p3" ino=167775 >> scontext=system_u:system_r:openvpn_t:s0 >> tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 > At that time, /etc/openvpn/client/nbecker8.conf had the > wrong selinux context (tcontext) which would explain why the > openvpn process (scontext) was not allowed to access it. > >> That would require a bit more troubleshooting. But, it is >> too late in my day to advise what that would entail. :-( > With luck, that infomation is accurate and useful in: > satiating your boundless curiosity, Ed (letting you get on > with your day/night); and making selinux ever-so-slightly > less random-feeling and vexing for you, Neal. Slightly is > all I can manage, as I would never call myself an expert at > it. :) LOL... I believe you are quite correct when you note the content of the AVC has the selinux context for the target to be tcontext=system_u:object_r:fusefs_t:s0 which would be problematic. And, I admit that I really didn't look at the AVC. But, now I'm even more confused by this thread. I raised the question about the output of "ls -Z" on the target file in response to the question "would be the restorecon command to use". So, unless someone responded off-list and Neal ran restorecon against the file how did the context change? -- Did 황준호 die?; _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure