Bug 1301319

Summary: VPN (strongswan) only connects when NetworkManager is started in debug mode
Product: [Fedora] Fedora Reporter: Jan Doumont <jan.doumont>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: blueowl, dominick.grift, dwalsh, lkundrak, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-05 06:22:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of journalctl for failed connection
none
log for successful connection
none
SELinux audit.log, grepped for 'charon-nm' none

Description Jan Doumont 2016-01-24 03:25:02 UTC 
Description of problem:
VPN only connects when NetworkManager is started in debug mode

Version-Release number of selected component (if applicable):
NetworkManager 1.0.10
NetworkManagers-strongswan(-gnome) 1.3.1
Strongswan 5.3.2

How reproducible:

Add a Strongswan VPN (EAP in my case, not sure if it makes a difference) using nm-connection-manager (the 'settings' applet is broken). Starting VPN doesn't work.

Open terminal:
systemctl stop NetworkManager
NetworkManager -b   (starts nm in debug mode, and not as a daemon)

Now the VPN does connect.

Not sure how I can get more info to provide to more knowledgeable users/developers, but I would be happy to try.
Comment 1 Blueowl 2016-01-25 12:16:47 UTC 
Would you include NetworkManager logs for both the successful and the failing case. You should be able to get the logs using journalctl.

# journalctl -b 0 -u NetworkManager
Comment 2 Jan Doumont 2016-01-26 01:51:01 UTC 
Created attachment 1118337 [details]
Output of journalctl for failed connection
Comment 3 Jan Doumont 2016-01-26 01:51:42 UTC 
Created attachment 1118338 [details]
log for successful connection
Comment 4 Jan Doumont 2016-01-26 01:53:13 UTC 
Created attachment 1118339 [details]
SELinux audit.log, grepped for 'charon-nm'
Comment 5 Jan Doumont 2016-01-26 01:57:51 UTC 
I looked at the logs and uploaded them here.

For some reason (not sure why; might be connected to my attempts of installing custom policies into selinux), I couldn't get it working in the debug mode of NetworkManager anymore either.

But, it is quite evident from the logs that SELinux is to blame. So I included on top of journalctl logs for NetworkManager, also audit.log, grepped for the suspect process 'charon-nm'.
Comment 6 Jan Doumont 2016-01-26 14:37:18 UTC 
For clarity, the successful connection and the audit.log are acquired after setting SELinux to 'permissive'.
Comment 7 Lukas Vrabec 2016-02-25 16:37:19 UTC 
commit 8fd6f85a0fb7b7247b7c408dc378ca3164f6bf85
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 25 17:33:09 2016 +0100

    Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
Comment 8 Fedora Update System 2016-02-27 13:50:20 UTC 
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 9 Fedora Update System 2016-02-28 13:54:12 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 10 Fedora Update System 2016-03-05 06:21:53 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.