Open dylangerdaly opened 11 months ago
Ok, so you identified which label is wrong already :) What if you run restorecon on it? Does it help? If yes, I guess it needs to be added to the installation instruction.
The above can be fixed by adding
restorecon -v /lib/systemd/system/*
chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*
diff
diff --git a/files-main/rc.local b/files-main/rc.local
index bb07274..c3de1f9 100644
--- a/files-main/rc.local
+++ b/files-main/rc.local
@@ -13,6 +13,8 @@ sync
ln -s -f /rw/config/qubes-vpn-ns /usr/lib/qubes/qubes-vpn-ns
ln -s -f /rw/config/qubes-vpn-openvpn-script /usr/lib/qubes/qubes-vpn-openvpn-script
ln -s -f /rw/config/qubes-vpn-setup /usr/lib/qubes/qubes-vpn-setup
+restorecon -v /lib/systemd/system/*
+chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*
# Start tunnel service
systemctl daemon-reload
diff --git a/install b/install
old mode 100644
new mode 100755
The qubes-vpn scripts need to have a context of system_u:object_r:bin_t:s0
and restorecon fixes qubes-vpn-handler.service
But the rules should be added/mainline'd properly, this is a hacky fix
It would be very kind if you could solve this issue. When switching from Fedora 38 to Fedora 39, VPN with certificates does otherwise fail suddenly.
Adding the above to rc.local for sys-net (I did not try the template) did not solve the issue for me. Adding just "setenforce 0" (thanks to this hint: https://forum.qubes-os.org/t/openvpn-with-fedora-39-as-sys-net/25398/5) does do the job. However, a reasonably secure operating system might do better than just disable selinux for sys-net altogether.
Qubes OS release
4.2RC3
Brief summary
When running with SELinux enforcing, I'm unable to use the Qubes-vpn-support project (with https://github.com/tasket/Qubes-vpn-support/pull/75)
Due to SELinux not labeling the service correctly
Steps to reproduce
Use the standard
fedora-38
(non-xfce) template and install Qubes-vpn-supportExpected behavior
VPN connect successfully
Actual behavior
SELinux breaks because restorecon isn't run, or SELinux rules aren't being applied correctly