So what exactly would be the restorecon command to use here?
On Wed, Dec 22, 2021 at 7:27 AM Neal Becker <ndbeck...@gmail.com> wrote:
>
> sudo ausearch -c 'openvpn'
>
> time->Tue Dec 21 14:10:56 2021
> type=AVC msg=audit(1640113856.260:3683): avc: denied { open } for
> pid=120287 comm="openvpn" path="/etc/openvpn/client/nbecker8.conf"
> dev="nvme0n1p3" ino=167775 scontext=system_u:system_r:openvpn_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
>
> So this tells me the problem was indeed a denial to open that file.
> Although I've administered unix/linux systems since 1980's, selinux is
> a subject I've not had to learn about until now.
>
> On Tue, Dec 21, 2021 at 5:16 PM Jonathan Billings <billi...@negate.org> wrote:
> >
> > On Dec 21, 2021, at 14:03, Kevin Becker <ke...@kevinbecker.org> wrote:
> > >
> > > Probably selinux. I have these notes for configuring a commercial VPN
> > > provider to work.
> > >
> > > sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
> > > sudo semodule -X 300 -i my-openvpn.pp
> >
> > Ack! That’s not good advice. That’s basically saying: “whatever broken
> > settings you have currently, let it be allowed” blindly. Is it set so open
> > on can read all files on your file system now? Who knows! Maybe now it’s
> > allowed to sniff your network traffic? You can’t tell! It is the selinux
> > equivalent of just “chmod 777” you see people suggest for file permission
> > problems.
> >
> > The appropriate first step is to use “restorecon” to relabel the files in
> > /etc. Most likely that would have fixed it.
> >
> > The “audit2why” command might have mentioned a selinux Boolean or missing
> > setting.
> >
> > --
> > Jonathan Billings
> > _______________________________________________
> > users mailing list -- users@lists.fedoraproject.org
> > To unsubscribe send an email to users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
>
>
>
> --
> Those who don't understand recursion are doomed to repeat it
--
Those who don't understand recursion are doomed to repeat it
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
