SELinux not allowing read files on ~/.cert












4















I'm new to Fedora 23 and SELinux. I use an OpenVPN client through NetworkManager. I stored all the files I needed OpenVPN to access (certificate, CA and private key) inside ~/.cert and ran updatecon -R -v ~/.cert. However, I'm still getting AVC errors from SELinux, who won't let OpenVPN access such files. This the relevant portion of the output of grep AVC /var/log/audit/audit.log | less:



type=AVC msg=audit(1457179403.296:364): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.296:365): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.330:366): avc:  denied  { read } for  pid=2611 comm="openvpn" name="lastline-ca.crt" dev="dm-2" ino=2888749 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:367): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.crt" dev="dm-2" ino=2888751 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:368): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0


Since I've only been using SELinux for a few days, I have no clue where to start looking for this. Any hints?



Edit: It seems to me that the problem is in the svirt_sandbox_file_t label. I believe those files should be labelled home_cert_t.



Edit 2: In fact, my whole home directory has been labeled svirt_sandbox_file_t for some reason. Is this a feature or a bug of Docker policies?



Update



Alright, this took a while. Let me further describe the issue, in case someone ends up going through the same. Turns out the svirt_sandbox_file_t had been attributed by Docker when I mounted my home directory as a volume with the :Z flag (as described here). Docker then recursively applied that label to my entire home dir, and somehow neither reconfiguring the FS labels nor applying restorecon worked.



To restore my home to the original permissions, I rsync'd it to a temporary folder, deleted everything in it and rsync'd back. Not the brightest idea, but it worked. Hope this helps.






fedora openvpn selinux







share|improve this question

























  • Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

    – Michael Hampton
    Feb 18 at 15:37


















4















I'm new to Fedora 23 and SELinux. I use an OpenVPN client through NetworkManager. I stored all the files I needed OpenVPN to access (certificate, CA and private key) inside ~/.cert and ran updatecon -R -v ~/.cert. However, I'm still getting AVC errors from SELinux, who won't let OpenVPN access such files. This the relevant portion of the output of grep AVC /var/log/audit/audit.log | less:



type=AVC msg=audit(1457179403.296:364): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.296:365): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.330:366): avc:  denied  { read } for  pid=2611 comm="openvpn" name="lastline-ca.crt" dev="dm-2" ino=2888749 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:367): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.crt" dev="dm-2" ino=2888751 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:368): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0


Since I've only been using SELinux for a few days, I have no clue where to start looking for this. Any hints?



Edit: It seems to me that the problem is in the svirt_sandbox_file_t label. I believe those files should be labelled home_cert_t.



Edit 2: In fact, my whole home directory has been labeled svirt_sandbox_file_t for some reason. Is this a feature or a bug of Docker policies?



Update



Alright, this took a while. Let me further describe the issue, in case someone ends up going through the same. Turns out the svirt_sandbox_file_t had been attributed by Docker when I mounted my home directory as a volume with the :Z flag (as described here). Docker then recursively applied that label to my entire home dir, and somehow neither reconfiguring the FS labels nor applying restorecon worked.



To restore my home to the original permissions, I rsync'd it to a temporary folder, deleted everything in it and rsync'd back. Not the brightest idea, but it worked. Hope this helps.






fedora openvpn selinux







share|improve this question

























  • Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

    – Michael Hampton
    Feb 18 at 15:37
















4












4








4








I'm new to Fedora 23 and SELinux. I use an OpenVPN client through NetworkManager. I stored all the files I needed OpenVPN to access (certificate, CA and private key) inside ~/.cert and ran updatecon -R -v ~/.cert. However, I'm still getting AVC errors from SELinux, who won't let OpenVPN access such files. This the relevant portion of the output of grep AVC /var/log/audit/audit.log | less:



type=AVC msg=audit(1457179403.296:364): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.296:365): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.330:366): avc:  denied  { read } for  pid=2611 comm="openvpn" name="lastline-ca.crt" dev="dm-2" ino=2888749 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:367): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.crt" dev="dm-2" ino=2888751 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:368): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0


Since I've only been using SELinux for a few days, I have no clue where to start looking for this. Any hints?



Edit: It seems to me that the problem is in the svirt_sandbox_file_t label. I believe those files should be labelled home_cert_t.



Edit 2: In fact, my whole home directory has been labeled svirt_sandbox_file_t for some reason. Is this a feature or a bug of Docker policies?



Update



Alright, this took a while. Let me further describe the issue, in case someone ends up going through the same. Turns out the svirt_sandbox_file_t had been attributed by Docker when I mounted my home directory as a volume with the :Z flag (as described here). Docker then recursively applied that label to my entire home dir, and somehow neither reconfiguring the FS labels nor applying restorecon worked.



To restore my home to the original permissions, I rsync'd it to a temporary folder, deleted everything in it and rsync'd back. Not the brightest idea, but it worked. Hope this helps.






fedora openvpn selinux







share|improve this question
















I'm new to Fedora 23 and SELinux. I use an OpenVPN client through NetworkManager. I stored all the files I needed OpenVPN to access (certificate, CA and private key) inside ~/.cert and ran updatecon -R -v ~/.cert. However, I'm still getting AVC errors from SELinux, who won't let OpenVPN access such files. This the relevant portion of the output of grep AVC /var/log/audit/audit.log | less:



type=AVC msg=audit(1457179403.296:364): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.296:365): avc:  denied  { open } for  pid=2608 comm="nm-openvpn-serv" path="/home/ggoncalves/.cert/ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.330:366): avc:  denied  { read } for  pid=2611 comm="openvpn" name="lastline-ca.crt" dev="dm-2" ino=2888749 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:367): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.crt" dev="dm-2" ino=2888751 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0

type=AVC msg=audit(1457179403.332:368): avc:  denied  { read } for  pid=2611 comm="openvpn" name="ggoncalves.key" dev="dm-2" ino=2888752 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c50,c545 tclass=file permissive=0


Since I've only been using SELinux for a few days, I have no clue where to start looking for this. Any hints?



Edit: It seems to me that the problem is in the svirt_sandbox_file_t label. I believe those files should be labelled home_cert_t.



Edit 2: In fact, my whole home directory has been labeled svirt_sandbox_file_t for some reason. Is this a feature or a bug of Docker policies?



Update



Alright, this took a while. Let me further describe the issue, in case someone ends up going through the same. Turns out the svirt_sandbox_file_t had been attributed by Docker when I mounted my home directory as a volume with the :Z flag (as described here). Docker then recursively applied that label to my entire home dir, and somehow neither reconfiguring the FS labels nor applying restorecon worked.



To restore my home to the original permissions, I rsync'd it to a temporary folder, deleted everything in it and rsync'd back. Not the brightest idea, but it worked. Hope this helps.






fedora openvpn selinux




fedora openvpn selinux






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 6 '16 at 0:57







Guilherme

















asked Mar 5 '16 at 12:18









GuilhermeGuilherme

15517




15517













  • Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

    – Michael Hampton
    Feb 18 at 15:37





















  • Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

    – Michael Hampton
    Feb 18 at 15:37



















Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

– Michael Hampton
Feb 18 at 15:37







Don't mount your home directory as a Docker volume, only chosen subdirectories of the home directory.

– Michael Hampton
Feb 18 at 15:37












1 Answer
1






active

oldest

votes


















3














Target context type of the files is still wrong:



svirt_sandbox_file_t


The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with



restorecon -Rf ~/.cert


or try to force the type:



chcon -t home_cert_t ~/.cert/*


It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.






share|improve this answer


























  • Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

    – Guilherme
    Mar 5 '16 at 13:02











  • Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

    – Jakuje
    Mar 5 '16 at 13:12











  • chcon does fix it. Will this persist across reboots and FS changes?

    – Guilherme
    Mar 5 '16 at 13:17











  • Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

    – Jakuje
    Mar 5 '16 at 13:18






  • 2





    You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

    – Jakuje
    Mar 5 '16 at 13:33













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267789%2fselinux-not-allowing-read-files-on-cert%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














Target context type of the files is still wrong:



svirt_sandbox_file_t


The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with



restorecon -Rf ~/.cert


or try to force the type:



chcon -t home_cert_t ~/.cert/*


It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.






share|improve this answer


























  • Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

    – Guilherme
    Mar 5 '16 at 13:02











  • Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

    – Jakuje
    Mar 5 '16 at 13:12











  • chcon does fix it. Will this persist across reboots and FS changes?

    – Guilherme
    Mar 5 '16 at 13:17











  • Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

    – Jakuje
    Mar 5 '16 at 13:18






  • 2





    You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

    – Jakuje
    Mar 5 '16 at 13:33


















3














Target context type of the files is still wrong:



svirt_sandbox_file_t


The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with



restorecon -Rf ~/.cert


or try to force the type:



chcon -t home_cert_t ~/.cert/*


It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.






share|improve this answer


























  • Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

    – Guilherme
    Mar 5 '16 at 13:02











  • Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

    – Jakuje
    Mar 5 '16 at 13:12











  • chcon does fix it. Will this persist across reboots and FS changes?

    – Guilherme
    Mar 5 '16 at 13:17











  • Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

    – Jakuje
    Mar 5 '16 at 13:18






  • 2





    You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

    – Jakuje
    Mar 5 '16 at 13:33
















3












3








3







Target context type of the files is still wrong:



svirt_sandbox_file_t


The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with



restorecon -Rf ~/.cert


or try to force the type:



chcon -t home_cert_t ~/.cert/*


It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.






share|improve this answer















Target context type of the files is still wrong:



svirt_sandbox_file_t


The files in ~/.cert should be labeled as home_cert_t. Give it a try once more with



restorecon -Rf ~/.cert


or try to force the type:



chcon -t home_cert_t ~/.cert/*


It might be possible that there is some bug in selinux-policy or docker selinux policy that causes wrong default labeling.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 5 '16 at 13:09

























answered Mar 5 '16 at 12:58









JakujeJakuje

16.5k53155




16.5k53155













  • Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

    – Guilherme
    Mar 5 '16 at 13:02











  • Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

    – Jakuje
    Mar 5 '16 at 13:12











  • chcon does fix it. Will this persist across reboots and FS changes?

    – Guilherme
    Mar 5 '16 at 13:17











  • Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

    – Jakuje
    Mar 5 '16 at 13:18






  • 2





    You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

    – Jakuje
    Mar 5 '16 at 13:33





















  • Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

    – Guilherme
    Mar 5 '16 at 13:02











  • Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

    – Jakuje
    Mar 5 '16 at 13:12











  • chcon does fix it. Will this persist across reboots and FS changes?

    – Guilherme
    Mar 5 '16 at 13:17











  • Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

    – Jakuje
    Mar 5 '16 at 13:18






  • 2





    You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

    – Jakuje
    Mar 5 '16 at 13:33



















Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

– Guilherme
Mar 5 '16 at 13:02





Nope, still restoring to svirt_sandbox_file_t. I believe this has happened when I installed Docker...

– Guilherme
Mar 5 '16 at 13:02













Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

– Jakuje
Mar 5 '16 at 13:12





Give it a try with chcon. I am not unfortunately didn't find such a bug, but I would blame docker.

– Jakuje
Mar 5 '16 at 13:12













chcon does fix it. Will this persist across reboots and FS changes?

– Guilherme
Mar 5 '16 at 13:17





chcon does fix it. Will this persist across reboots and FS changes?

– Guilherme
Mar 5 '16 at 13:17













Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

– Jakuje
Mar 5 '16 at 13:18





Yes. It should persist over reboot, if you will not trigger relabel (or if Docker does not enforce it somehow).

– Jakuje
Mar 5 '16 at 13:18




2




2





You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

– Jakuje
Mar 5 '16 at 13:33







You can achieve complete relabel during reboot by touch /.autorelabel and then rebooting system.

– Jakuje
Mar 5 '16 at 13:33




















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267789%2fselinux-not-allowing-read-files-on-cert%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more