> On Dec 21, 2021, at 5:13 PM, Jonathan Billings <billi...@negate.org> wrote: > > On Dec 21, 2021, at 14:03, Kevin Becker <ke...@kevinbecker.org> wrote: >> >> Probably selinux. I have these notes for configuring a commercial VPN >> provider to work. >> >> sudo ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn >> sudo semodule -X 300 -i my-openvpn.pp > > Ack! That’s not good advice. That’s basically saying: “whatever broken > settings you have currently, let it be allowed” blindly. Is it set so open on > can read all files on your file system now? Who knows! Maybe now it’s > allowed to sniff your network traffic? You can’t tell! It is the selinux > equivalent of just “chmod 777” you see people suggest for file permission > problems. > > The appropriate first step is to use “restorecon” to relabel the files in > /etc. Most likely that would have fixed it. > > The “audit2why” command might have mentioned a selinux Boolean or missing > setting.
I’m no selinux expert, as I mentioned the instructions came from a commercial VPN vendor for installing their configuration files. From my limited understanding though, it seems that it is just allowing the actions that openvpn specifically tried to perform and failed. Is the risk there that openvpn may be compromised? For the most part, I guess I’m trusting that if openvpn tried to access something, it likely needed to access it? _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
