| Summary: | SELinux is preventing charon-nm from read, write access on the chr_file tun | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marcel Hellwig <redhat> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, redhat |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-05 06:23:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
commit 47e8b4aac6c1ac0333508cb680f0d4b32dcf9ee4
Author: Lubomir Rintel <lkundrak>
Date: Wed Oct 21 19:38:36 2015 +0200
ipsec: fix stringSwan charon-nm
StrongSwan has an IPSec IKE daemon and the NetworkManager plugin in the same
binary. They don't split it into a mgmt daemon and actual IPSec daemon.
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
This is an update to #1183490 . The problem still exists, with the exact same error massage Description of problem: Selinux prevents charon/strongswan from doing its job. I tried to use Networkmanager to open a tunnel, this fails. Version-Release number of selected component (if applicable): # dnf info selinux-policy Installed Packages Name : selinux-policy Arch : noarch Epoch : 0 Version : 3.13.1 Release : 158.6.fc23 Size : 18 k Repo : @System From repo : updates How reproducible: Every time Steps to Reproduce: 1. Try to create a tunnel (with NetworkManager). Additional info: SELinux is preventing charon-nm from 'read, write' accesses on the chr_file tun. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that charon-nm should be allowed read write access on the tun chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep charon-nm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:tun_tap_device_t:s0 Target Objects tun [ chr_file ] Source charon-nm Source Path charon-nm Port <Unknown> Host thinki Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.6.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name thinki Platform Linux thinki 4.5.0-0.rc4.git2.2.fc24.x86_64 #1 SMP Thu Feb 18 17:54:32 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-02-24 20:11:29 CET Last Seen 2016-02-24 20:11:29 CET Local ID 56622ea4-4c91-44e1-a88f-5328fd408795 Raw Audit Messages type=AVC msg=audit(1456341089.643:1979): avc: denied { read write } for pid=24422 comm="charon-nm" name="tun" dev="devtmpfs" ino=1308 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0 Hash: charon-nm,ipsec_t,tun_tap_device_t,chr_file,read,write