Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

DooM · 2012-08-30 13:41:12

C'est bon, c'est que tu n'as aucun fichier ici. C'était juste au "cas-ou" tongue

Pour installer la prise en charge des extensions Gnome-Shell sous Fedora :

$ su -c 'yum install gnome-shell-extensions-common gnome-tweak-tool gnome-shell-extension-user-theme'

À faire avant la section 3 du Tuto wink Je vais le mettre à jour dès que possible

Luciole · 2012-08-30 13:57:40

J'aime bien ton thème, DooM c'est quoi ?

DooM · 2012-08-30 14:06:55

Luciole · 2012-08-30 14:20:31

j'ai toujours le même soucis...

Cannot load CA certificate file /etc/openvpn/freedomip/ca.crt path (null) (SSL_CTX_load_verify_locations): error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

pourtant tous les fichiers y sont... j'ai suivis le tuto j'ai rechargé les fichiers au cas ou mais c'est pareil

Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> Starting VPN service 'openvpn'...
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 4184
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN service 'openvpn' appeared; activating connections
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN plugin state changed: init (1)
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN plugin state changed: starting (3)
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN connection 'NL_freedomip' (Connect) reply received.
Aug 30 15:17:04 Bounty-Nymous nm-openvpn[4186]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Feb 13 2012
Aug 30 15:17:04 Bounty-Nymous nm-openvpn[4186]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 30 15:17:04 Bounty-Nymous nm-openvpn[4186]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 30 15:17:04 Bounty-Nymous nm-openvpn[4186]: Cannot load CA certificate file /etc/openvpn/freedomip/ca.crt path (null) (SSL_CTX_load_verify_locations): error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Aug 30 15:17:04 Bounty-Nymous nm-openvpn[4186]: Exiting
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <warn> VPN plugin failed: 1
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN plugin state changed: stopped (6)
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> VPN plugin state change reason: 0
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Aug 30 15:17:04 Bounty-Nymous NetworkManager[641]: <info> Policy set 'Auto Livebox' (wlan0) as default for IPv4 routing and DNS.
Aug 30 15:17:04 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from search access on the directory /etc/openvpn/freedomip. For complete SELinux messages. run sealert -l b7494313-16ed-4c3f-b548-13210dc4f2fe
Aug 30 15:17:09 Bounty-Nymous NetworkManager[641]: <info> VPN service 'openvpn' disappeared

DooM · 2012-08-30 15:13:37

Que te retournent :

$ ls -n /etc/openvpn/

$ ls -n /etc/openvpn/freedomip/

Il semble que le problème puisse venir du système de sécurité SeLinux de Fedora.

Essayons de rétablir ça avec :

$ /sbin/restorecon -R -v /etc/openvpn

Dernière modification par DooM (2012-08-30 15:17:52)

Luciole · 2012-08-30 15:39:04

$ ls -n /etc/openvpn/
total 4
drwxrwxrwx. 2 1000 0 4096 30 août  14:39 freedomip

$ ls -n /etc/openvpn/freedomip/
total 48
-rwxrwxrwx. 1 1000 10 1614 28 juil.  2011 ca.crt
-rwxrwxrwx. 1 1000  0  891  5 juil.  2011 ca.key
-rwxrwxrwx. 1 1000  0  210 30 juin  21:28 IE2_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  210 30 juin  21:28 IE3_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  210 30 juin  21:28 IE4_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  208 30 juin  21:28 IE_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  219  2 févr.  2012 NL2_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  210 30 juin  21:26 NL3_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  219  2 févr.  2012 NL4_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  218  2 févr.  2012 NL_freedomip.ovpn
-rwxrwxrwx. 1 1000  0  324 28 janv.  2012 README
-rwxrwxrwx. 1 1000  0  636 28 juil.  2011 ta.key

$ /sbin/restorecon -R -v /etc/openvpn
/sbin/restorecon reset /etc/openvpn/freedomip context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/NL4_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/IE_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/README context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/ca.key context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/NL2_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/ta.key context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/IE2_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/IE4_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/ca.crt context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/IE3_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/NL3_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0
/sbin/restorecon reset /etc/openvpn/freedomip/NL_freedomip.ovpn context system_u:object_r:fusefs_t:s0->system_u:object_r:openvpn_etc_t:s0

J'ai installé ton thème il est trop bien ^^

DooM · 2012-08-30 15:59:22

LoL ouais il est cool smile

Bon et maintenant, dis-moi que le VPN fonctionne !! mdrrr tongue

Luciole · 2012-08-30 16:16:20

Oui ça fonctionne !

Merci à tous les deux de m'avoir aidé. J'ai quand même par précaution effacé les fichiers de freedomip et j'ai directement extrait l'archive freedomip.zip dans /etc/openvpn puis j'ai ensuite déplacé tous les fichiers dans /etc/openvpn/freedomip et j'ai supprimé le *.exe j'ai donc importé de nouveau le VPN et là ça fonctionne sur le NL j'essaie les autres

Donc après plusieurs essais j'ai les connexions : NL, NL2, NL3 et IE qui fonctionnent le reste impossibles, il y a une erreur SELinux

Aug 30 17:36:24 Bounty-Nymous NetworkManager[660]: <info> Policy set 'Auto Livebox' (wlan0) as default for IPv4 routing and DNS.
Aug 30 17:36:29 Bounty-Nymous NetworkManager[660]: <info> VPN service 'openvpn' disappeared
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> Starting VPN service 'openvpn'...
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 4038
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> VPN service 'openvpn' appeared; activating connections
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> VPN plugin state changed: init (1)
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> VPN plugin state changed: starting (3)
Aug 30 17:36:37 Bounty-Nymous NetworkManager[660]: <info> VPN connection 'IE4_freedomip' (Connect) reply received.
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Feb 13 2012
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: WARNING: file '/etc/openvpn/freedomip/ta.key' is group or others accessible
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: Control Channel Authentication: using '/etc/openvpn/freedomip/ta.key' as a OpenVPN static key file
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: Attempting to establish TCP connection with 94.23.150.162:3333 [nonblock]
Aug 30 17:36:37 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:36:37 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:36:42 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:36:42 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:36:47 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:36:47 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:36:52 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:36:52 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:36:57 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:36:57 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:37:02 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:37:02 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Aug 30 17:37:07 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:37:07 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l 5a51dac5-e0d8-4c9c-a5d4-5dca92a703ef
Aug 30 17:37:12 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:37:12 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l 5a51dac5-e0d8-4c9c-a5d4-5dca92a703ef
Aug 30 17:37:17 Bounty-Nymous nm-openvpn[4040]: TCP: connect to 94.23.150.162:3333 failed, will try again in 5 seconds: Permission denied
Aug 30 17:37:17 Bounty-Nymous NetworkManager[660]: <warn> VPN connection 'IE4_freedomip' (IP Config Get) timeout exceeded.
Aug 30 17:37:17 Bounty-Nymous nm-openvpn[4040]: SIGTERM[hard,init_instance] received, process exiting
Aug 30 17:37:17 Bounty-Nymous NetworkManager[660]: <info> Policy set 'Auto Livebox' (wlan0) as default for IPv4 routing and DNS.
Aug 30 17:37:18 Bounty-Nymous setroubleshoot: SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l 5a51dac5-e0d8-4c9c-a5d4-5dca92a703ef
Aug 30 17:37:22 Bounty-Nymous NetworkManager[660]: <info> VPN service 'openvpn' disappeared

Dernière modification par Luciole (2012-08-30 16:37:47)

DooM · 2012-08-30 16:43:14

Ah cool c'est un bon début !C'est une des raisons qui m'avait fait abandonner Fedora : SeLinux. Ce dernier est très sécurisant, mais beaucoup trop restrictif !

Au cas-ou, vu que tu as remis les fichiers, relance la commande suivante et ré-essaie les autres serveurs

$ /sbin/restorecon -R -v /etc/openvpn

C'est bien, ce post servira à améliorer le tuto wink

En plus maintenant, on voit clairement que le problème vient bien de SeLinux

Il serait bon aussi de lancer :

$ sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0

et me dire ce que ça retourne

Dernière modification par DooM (2012-08-30 16:49:23)

Luciole · 2012-08-30 17:10:14

$ sealert -l dbd97b5a-a799-4688-938a-fa395ef68ef0
Error
query_alerts error (1003): id (dbd97b5a-a799-4688-938a-fa395ef68ef0) not found

En revanche

[== Indéfini ==]
$ sealert -l 5a51dac5-e0d8-4c9c-a5d4-5dca92a703ef
SELinux is preventing /usr/sbin/openvpn from name_connect access on the tcp_socket .

*****  Plugin connect_ports (99.5 confidence) suggests  **********************

If you want to allow /usr/sbin/openvpn to connect to network port 2222
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 2222
    where PORT_TYPE is one of the following: dns_port_t, ldap_port_t, http_cache_port_t, dns_port_t, http_port_t, tor_socks_port_t, openvpn_port_t, ocsp_port_t, kerberos_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that openvpn should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp



Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          2222
Host                          Bounty-Nymous
Source RPM Packages           openvpn-2.2.2-4.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Bounty-Nymous
Platform                      Linux Bounty-Nymous 3.5.2-3.fc17.x86_64 #1 SMP Tue
                              Aug 21 19:06:52 UTC 2012 x86_64 x86_64
Alert Count                   11
First Seen                    2012-08-30 17:37:07 CEST
Last Seen                     2012-08-30 17:55:11 CEST
Local ID                      5a51dac5-e0d8-4c9c-a5d4-5dca92a703ef

Raw Audit Messages
type=AVC msg=audit(1346342111.533:288): avc:  denied  { name_connect } for  pid=4218 comm="openvpn" dest=2222 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1346342111.533:288): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff1c806738 a2=10 a3=3ff65b4ba0 items=0 ppid=4216 pid=4218 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,unreserved_port_t,tcp_socket,name_connect

audit2allow

#============= openvpn_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow openvpn_t unreserved_port_t:tcp_socket name_connect;

audit2allow -R

#============= openvpn_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow openvpn_t unreserved_port_t:tcp_socket name_connect;

DooM · 2012-08-30 17:38:39

Alors, SeLinux nous dit que pour lever les restrictions d'OpenVPN il faut taper :

$ su -
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

essayons !

Luciole · 2012-08-30 19:36:09

Oui ils fonctionnent tous désormais

DooM · 2012-08-30 21:08:18

Ça..., c'est fait ! cool

Parfait je mettrai toutes ces données dans le tuto devil

David · 2012-08-30 21:12:46

Bonsoir ...

Comme tout est rentré dans l'ordre, je ferme cette discussion.

Cordialement, David.

Forum Freedom-IP VPN

Annonce

#26 2012-08-30 13:41:12

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#27 2012-08-30 13:57:40

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#28 2012-08-30 14:06:55

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#29 2012-08-30 14:20:31

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#30 2012-08-30 15:13:37

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#31 2012-08-30 15:39:04

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#32 2012-08-30 15:59:22

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#33 2012-08-30 16:16:20

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#34 2012-08-30 16:43:14

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#35 2012-08-30 17:10:14

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#36 2012-08-30 17:38:39

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#37 2012-08-30 19:36:09

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#38 2012-08-30 21:08:18

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

#39 2012-08-30 21:12:46

Re : Impossible de configurer le VPN sous Fedora 17 / SELinux / GnomeShell

Pied de page des forums