Bug 1564498
| Summary: | User asked for private key decryption password even though the key is not encrypted | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mirek Svoboda <goodmirek> | ||||||||
| Component: | selinux-policy | Assignee: | Pavel Šimerda <code> | ||||||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 28 | CC: | code, dwalsh, ferraro_lucas, goodmirek, lkundrak, lvrabec, plautrba | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2019-05-29 00:01:07 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 1418129 [details]
Related log
Created attachment 1418131 [details]
custom selinux policy fixing the issue
According to journal, the issue is caused by selinux. See the attached log excerpt. Applying custom policy fixes the issue, the policy is attached too. Update of Expected behavior: Additionally, expected behavior is to display "access denied" or a similar reasonable error, instead of password dialog. This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. I have the same problem on Fedora 38. I was wondering if there is any easier solution than SELinux policy? |
Created attachment 1418127 [details] The GUI dialog asking for a password Description of problem: Private keys for IPsec VPN are not encrypted. NetworkManager is used together with Strongswan for connecting to IPsec VPN, connection is initiated via Gnome GUI. In FC27, it works without any issue. After upgrade to FC28 beta (updated to be up-to-date) the IPsec VPN connection cannot be initiated via GUI any longer, as GUI shows a dialog requiring entry of a private key decryption password. See attached screenshot for the dialog. Version-Release number of selected component (if applicable): NetworkManager-strongswan-1.4.3-1.fc28.x86_64 strongswan-charon-nm-5.6.2-2.fc28.x86_64 NetworkManager-strongswan-gnome-1.4.3-1.fc28.x86_64 strongswan-5.6.2-2.fc28.x86_64 gnome-shell-3.28.0-1.fc28.x86_64 How reproducible: Initiate IPsec VPN connection from Gnome GUI, using unencrypted private key. Steps to Reproduce: 1. Install FC28 beta and run dnf update 2. Define IPsec VPN connection using Gnome GUI, use certificate only authentication with unencrypted private key 3. Attempt to connect the VPN Actual results: Dialog is displayed, which does not allow to enter an empty password and proceed with connection. Expected results: No dialog is displayed and connection is established, like in FC27. Additional info: