I want (open)vpn connections to be available to all users, but if I'm not root are blocked by SELinux.
I looked In var/log/audit/audit.log first in no permisive mode:
type=AVC msg=audit(1659770552.275:309): avc: denied { getattr } for pid=1923 comm="openvpn" path="/root/.cert/nm-openvpn/ie-dub.prod.blk.com_udp-tls-auth.pem" dev="nvme0n1p3" ino=802406 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0an after that I set permissive to see what is blocked:
type=AVC msg=audit(1659770802.776:318): avc: denied { getattr } for pid=2124 comm="openvpn" path="/root/.cert/nm-openvpn/hu-bud.prod.blk.com_udp-tls-auth.pem" dev="nvme0n1p3" ino=802398 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1type=AVC msg=audit(1659770802.777:319): avc: denied { read } for pid=2124 comm="openvpn" name="hu-bud.prod.blk.com_udp-tls-auth.pem" dev="nvme0n1p3" ino=802398 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1type=AVC msg=audit(1659770802.777:320): avc: denied { open } for pid=2124 comm="openvpn" path="/root/.cert/nm-openvpn/hu-bud.prod.blk.com_udp-tls-auth.pem" dev="nvme0n1p3" ino=802398 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1type=NETFILTER_CFG msg=audit(1659770805.461:321): table=firewalld:6 family=1 entries=5 op=nft_register_rule pid=916 subj=system_u:system_r:firewalld_t:s0 comm="firewalld"type=SERVICE_START msg=audit(1659770805.528:322): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"It seems that I need to change the context label for the *.pem files, but it is not clear what context to use.