Bug 1589534
Summary: | SELinux is preventing charon-nm from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | imgx64+bzrh |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | dwalsh, jakunar, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:9914a232222c5303b157d47be51f120b263b500dc4c33788a133299b21ac4f1c;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.1-36.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-29 03:21:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
imgx64+bzrh
2018-06-10 14:40:22 UTC
Additional info: I'm trying to setup Algo VPN (https://github.com/trailofbits/algo/), in case that's relevant. Also, enabling SELinux permissive mode makes the VPN work. More logs: $ ls -l ~/.cert/* -rw-rw-r--. 1 user user 2555 Jun 9 16:05 /home/user/.cert/cert.pem -rw-rw-r--. 1 user user 241 Jun 9 16:05 /home/user/.cert/privkey.pem -rw-rw-r--. 1 user user 648 Jun 9 16:04 /home/user/.cert/cacert.pem $ sudo auditctl -w /etc/shadow -p w $ nmcli connection up VPN1 Error: Connection activation failed: The VPN service failed to start $ sudo ausearch -m avc -ts recent ---- time->Mon Jun 11 14:54:07 2018 type=AVC msg=audit(1528718047.621:261): avc: denied { dac_override } for pid=2931 comm="charon-nm" capability=1 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=capability permissive=0 ---- time->Mon Jun 11 14:54:07 2018 type=AVC msg=audit(1528718047.625:262): avc: denied { dac_override } for pid=2931 comm="charon-nm" capability=1 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=capability permissive=0 $ journalctl --this-boot | grep 'charon-nm\|NetworkManager' [snip] Jun 11 14:54:07 comp1 NetworkManager[915]: <info> [1528718047.0957] audit: op="connection-activate" uuid="6a52dcf1-8a56-489f-b8f7-1b1c80eba76d" name="VPN1" pid=2887 uid=1000 result="success" Jun 11 14:54:07 comp1 NetworkManager[915]: <info> [1528718047.4122] vpn-connection[0x55ddb9144110,6a52dcf1-8a56-489f-b8f7-1b1c80eba76d,"VPN1",0]: Started the VPN service, PID 2931 Jun 11 14:54:07 comp1 charon-nm[2931]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.6.2) Jun 11 14:54:07 comp1 charon-nm[2931]: 00[LIB] openssl FIPS mode(2) - enabled Jun 11 14:54:07 comp1 NetworkManager[915]: <info> [1528718047.6156] vpn-connection[0x55ddb9144110,6a52dcf1-8a56-489f-b8f7-1b1c80eba76d,"VPN1",0]: Saw the service appear; activating connection Jun 11 14:54:07 comp1 charon-nm[2931]: 00[LIB] loaded plugins: nm-backend charon-nm pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap Jun 11 14:54:07 comp1 charon-nm[2931]: 00[JOB] spawning 16 worker threads Jun 11 14:54:07 comp1 audit[2931]: AVC avc: denied { dac_override } for pid=2931 comm="charon-nm" capability=1 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=capability permissive=0 Jun 11 14:54:07 comp1 charon-nm[2931]: 05[LIB] opening '/home/user/.cert/privkey.pem' failed: Permission denied Jun 11 14:54:07 comp1 charon-nm[2931]: 05[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 9 builders Jun 11 14:54:07 comp1 NetworkManager[915]: <info> [1528718047.6255] vpn-connection[0x55ddb9144110,6a52dcf1-8a56-489f-b8f7-1b1c80eba76d,"VPN1",0]: VPN connection: (ConnectInteractive) reply received Jun 11 14:54:07 comp1 charon-nm[2931]: 05[CFG] received initiate for NetworkManager connection VPN1 Jun 11 14:54:07 comp1 audit[2931]: AVC avc: denied { dac_override } for pid=2931 comm="charon-nm" capability=1 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=capability permissive=0 Jun 11 14:54:07 comp1 charon-nm[2931]: 05[LIB] opening '/home/user/.cert/cacert.pem' failed: Permission denied Jun 11 14:54:07 comp1 charon-nm[2931]: 05[LIB] building CRED_CERTIFICATE - X509 failed, tried 6 builders Jun 11 14:54:07 comp1 NetworkManager[915]: <warn> [1528718047.6272] vpn-connection[0x55ddb9144110,6a52dcf1-8a56-489f-b8f7-1b1c80eba76d,"VPN1",0]: VPN connection: failed to connect: 'Loading gateway certificate failed.' Jun 11 14:54:07 comp1 NetworkManager[915]: <info> [1528718047.6285] vpn-connection[0x55ddb9144110,6a52dcf1-8a56-489f-b8f7-1b1c80eba76d,"VPN1",0]: VPN plugin: state changed: stopped (6) Jun 11 14:54:11 comp1 setroubleshoot[2958]: SELinux is preventing charon-nm from using the dac_override capability. For complete SELinux messages run: sealert -l afde8813-3cc5-4e28-ab49-c1ea0393d94b Jun 11 14:54:11 comp1 python3[2958]: SELinux is preventing charon-nm from using the dac_override capability. If you believe that charon-nm should have the dac_override capability by default. # ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm Jun 11 14:54:11 comp1 setroubleshoot[2958]: SELinux is preventing charon-nm from using the dac_override capability. For complete SELinux messages run: sealert -l afde8813-3cc5-4e28-ab49-c1ea0393d94b Jun 11 14:54:11 comp1 python3[2958]: SELinux is preventing charon-nm from using the dac_override capability. If you believe that charon-nm should have the dac_override capability by default. # ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |