Hi there,
I wanted to ask what the proper location is to store client OpenVPN certificates, if any exists.
With SELinux enforcing the targeted policy, the following occurs on attempting to connect to a VPN:
type=AVC msg=audit(1324632910.570:383): avc: denied { read } for pid=4098 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1324632910.570:383): arch=c000003e syscall=2 success=no exit=-13 a0=7fff58e16ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4095 pid=4098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
When I setenforce 0, the following happens:
type=MAC_STATUS msg=audit(1324633028.994:384): enforcing=0 old_enforcing=1 auid=1000 ses=2 type=SYSCALL msg=audit(1324633028.994:384): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffda4ea5f0 a2=1 a3=0 items=0 ppid=4032 pid=4145 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1324633034.039:385): avc: denied { read } for pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1324633034.039:385): avc: denied { open } for pid=4149 comm="openvpn" name="vanmeeuwen.crt" dev=dm-3 ino=3933169 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1324633034.039:385): arch=c000003e syscall=2 success=yes exit=5 a0=7fff96303ec9 a1=0 a2=1b6 a3=238 items=0 ppid=4146 pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null)
For the vanmeeuwen.crt client certificate, there's also a vanmeeuwen.key and a ca.crt, BTW, but the latter two never trigger an audit trail (though have the same selinux context).
I have stored the certificates in a directory tree in ~/.openvpn, with one directory per VPN connection, BTW, for which I recognize there is no separate custom context definition in /etc/selinux/targeted/contexts/files/.
Kind regards,
Jeroen van Meeuwen
Hi Jeroen,
I'm not quite sure if I'm doing it right, but I have stored my OpenVPN Client certificate in ~/.pki, it seems there is the only place besides /etc/pki/ where it can have the proper SELinux context (home_cert_t in this case) and looks like a sane location to store a certificate also. :)
Merry Christmas, Dominic
On 2011-12-25 13:51, Dominic Hopf wrote:
Hi Jeroen,
I'm not quite sure if I'm doing it right, but I have stored my OpenVPN Client certificate in ~/.pki, it seems there is the only place besides /etc/pki/ where it can have the proper SELinux context (home_cert_t in this case) and looks like a sane location to store a certificate also. :)
That could do the trick, and is not insensible indeed! Thanks for the pointer.
Merry Christmas,
Kind regards,
Jeroen van Meeuwen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/25/2011 09:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
On 2011-12-25 13:51, Dominic Hopf wrote:
Hi Jeroen,
I'm not quite sure if I'm doing it right, but I have stored my OpenVPN Client certificate in ~/.pki, it seems there is the only place besides /etc/pki/ where it can have the proper SELinux context (home_cert_t in this case) and looks like a sane location to store a certificate also. :)
That could do the trick, and is not insensible indeed! Thanks for the pointer.
Merry Christmas,
Kind regards,
Jeroen van Meeuwen
Proper labeling for certs in the homedir is setup for ~/.pki or ~/.cert
grep home_cert_t /etc/selinux/targeted/modules/active/homedir_template HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? system_u:object_r:home_cert_t:s0 HOME_DIR/.pki(/.*)? system_u:object_r:home_cert_t:s0 HOME_DIR/.cert(/.*)? system_u:object_r:home_cert_t:s0
You might need to run restorecon 0n the directories after you create.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominic Hopf -
Jeroen van Meeuwen