|Summary:||VPN (strongswan) only connects when NetworkManager is started in debug mode|
|Product:||[Fedora] Fedora||Reporter:||Jan Doumont <jan.doumont>|
|Component:||selinux-policy||Assignee:||Miroslav Grepl <mgrepl>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||23||CC:||blueowl, dominick.grift, dwalsh, lkundrak, lvrabec, mgrepl, plautrba|
|Fixed In Version:||selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2016-03-05 06:22:45 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Jan Doumont 2016-01-24 03:25:02 UTC
Description of problem: VPN only connects when NetworkManager is started in debug mode Version-Release number of selected component (if applicable): NetworkManager 1.0.10 NetworkManagers-strongswan(-gnome) 1.3.1 Strongswan 5.3.2 How reproducible: Add a Strongswan VPN (EAP in my case, not sure if it makes a difference) using nm-connection-manager (the 'settings' applet is broken). Starting VPN doesn't work. Open terminal: systemctl stop NetworkManager NetworkManager -b (starts nm in debug mode, and not as a daemon) Now the VPN does connect. Not sure how I can get more info to provide to more knowledgeable users/developers, but I would be happy to try.
Comment 1 Blueowl 2016-01-25 12:16:47 UTC
Would you include NetworkManager logs for both the successful and the failing case. You should be able to get the logs using journalctl. # journalctl -b 0 -u NetworkManager
Comment 2 Jan Doumont 2016-01-26 01:51:01 UTC
Created attachment 1118337 [details] Output of journalctl for failed connection
Comment 3 Jan Doumont 2016-01-26 01:51:42 UTC
Created attachment 1118338 [details] log for successful connection
Comment 4 Jan Doumont 2016-01-26 01:53:13 UTC
Created attachment 1118339 [details] SELinux audit.log, grepped for 'charon-nm'
Comment 5 Jan Doumont 2016-01-26 01:57:51 UTC
I looked at the logs and uploaded them here. For some reason (not sure why; might be connected to my attempts of installing custom policies into selinux), I couldn't get it working in the debug mode of NetworkManager anymore either. But, it is quite evident from the logs that SELinux is to blame. So I included on top of journalctl logs for NetworkManager, also audit.log, grepped for the suspect process 'charon-nm'.
Comment 6 Jan Doumont 2016-01-26 14:37:18 UTC
For clarity, the successful connection and the audit.log are acquired after setting SELinux to 'permissive'.
Comment 7 Lukas Vrabec 2016-02-25 16:37:19 UTC
commit 8fd6f85a0fb7b7247b7c408dc378ca3164f6bf85 Author: Lukas Vrabec <firstname.lastname@example.org> Date: Thu Feb 25 17:33:09 2016 +0100 Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
Comment 8 Fedora Update System 2016-02-27 13:50:20 UTC
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 9 Fedora Update System 2016-02-28 13:54:12 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 10 Fedora Update System 2016-03-05 06:21:53 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.