On Dec 21, 2021, at 5:13 PM, Jonathan Billings
<billings(a)negate.org> wrote:
On Dec 21, 2021, at 14:03, Kevin Becker <kevin(a)kevinbecker.org> wrote:
>
> Probably selinux. I have these notes for configuring a commercial VPN provider to
work.
>
> sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
> sudo semodule -X 300 -i my-openvpn.pp
Ack! That’s not good advice. That’s basically saying: “whatever broken settings you have
currently, let it be allowed” blindly. Is it set so open on can read all files on your
file system now? Who knows! Maybe now it’s allowed to sniff your network traffic? You
can’t tell! It is the selinux equivalent of just “chmod 777” you see people suggest for
file permission problems.
The appropriate first step is to use “restorecon” to relabel the files in /etc. Most
likely that would have fixed it.
The “audit2why” command might have mentioned a selinux Boolean or missing setting.
I’m no selinux expert, as I mentioned the instructions came from a commercial VPN vendor
for installing their configuration files. From my limited understanding though, it seems
that it is just allowing the actions that openvpn specifically tried to perform and
failed. Is the risk there that openvpn may be compromised? For the most part, I guess I’m
trusting that if openvpn tried to access something, it likely needed to access it?