Bug 1889538
| Summary: | libreswan's /var/lib/ipsec/nss missing | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Douglas Kosovic <doug> |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dan.dim, gergely, peter.levart, pwouters, reg.bugs, rl, sahana |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libreswan-4.1-2.fc34 libreswan-4.1-2.eln105 libreswan-4.1-2.fc33 libreswan-4.1-2.fc32 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-26 14:37:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I have the same issue in Fedora 23. This is workaround: mkdir -p /var/lib/ipsec/nss FEDORA-2020-466de9b5c7 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-a7463f4ba8 has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-8159986cf3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3 FEDORA-2020-2be8ee9435 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435 FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2be8ee9435` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8159986cf3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. Hi,
Today I installed an update of libreswan that appeared in the stable repository of Fedora 32. The dnf history shows that I updated:
dnf history info 192
Transaction ID : 192
Begin time : Thu 05 Nov 2020 09:06:54 AM CET
Begin rpmdb : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30
End time : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds)
End rpmdb : 2122:680ce7e7129ec17a740b01fca288422a15d1db86
User : Peter Levart <peter>
Return-Code : Success
Releasever :
Command Line :
Comment :
Packages Altered:
Upgrade libreswan-4.1-2.fc32.x86_64 @updates
Upgraded libreswan-3.32-2.fc32.x86_64 @@System
And as a result, my L2TP vpn connection is not working any more. I see the following in the journalctl:
Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied
I checked and the directory is there with the following permissions:
drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47 /var/lib/ipsec/nss
I had to downgrade the package (and I got downgraded to the initial F32 version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in the repos).
(In reply to Peter Levart from comment #10) > Hi, > > Today I installed an update of libreswan that appeared in the stable > repository of Fedora 32. The dnf history shows that I updated: > > dnf history info 192 > Transaction ID : 192 > Begin time : Thu 05 Nov 2020 09:06:54 AM CET > Begin rpmdb : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30 > End time : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds) > End rpmdb : 2122:680ce7e7129ec17a740b01fca288422a15d1db86 > User : Peter Levart <peter> > Return-Code : Success > Releasever : > Command Line : > Comment : > Packages Altered: > Upgrade libreswan-4.1-2.fc32.x86_64 @updates > Upgraded libreswan-3.32-2.fc32.x86_64 @@System > > And as a result, my L2TP vpn connection is not working any more. I see the > following in the journalctl: > > Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory > "/var/lib/ipsec/nss" is missing or permission denied > > I checked and the directory is there with the following permissions: > > drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47 > /var/lib/ipsec/nss > > I had to downgrade the package (and I got downgraded to the initial F32 > version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in > the repos). Same here, VPN stopped working, same error message, dir exists, downgraded to 3.30-1.fc32 and VPN worked again. I thought my Fedora 32 system was affected by this issue, but as mentioned in comments in #10 and #11, the directory exists. It looks like a SELinux problem, because it goes away after `setenforce 0` (just for testing). Unfortunately I have no time to gather more information and file a new bug. I hope this comment helps a little bit anyway. There is an existing Fedora 33 "libreswan moved NSS directory requires selinux-policy change" bug which shows the required selinux policy addition: https://bugzilla.redhat.com/show_bug.cgi?id=1883666 Fedora 32 probably should be included with that bug. As Douglas said, that is the same problem. For now: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec(/.*)?' restorecon -v /var/lib/ipsec/* Solved the problem for me. @Remco: according to regex in semanage, you should probably not forget to relable the /var/lib/ipsec dir itself too? restorecon -v /var/lib/ipsec/* restorecon -v /var/lib/ipsec ...or should the regex not include the ipsec dir but just the content of it?: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/.+' Either way fixes this particular problem, but which is more correct? @Peter: you are right, just copied it from the other thread and the first time i ever used semanage command...i'm more familiar with Slackware where SELinux is not used. I think that the regex should not include the whole ipsec folder and not even all subfolders, but only the nss subdir, since the keys are there. Although the /var/lib/ipsec is empty by me, it could contain contents in the future. I now used: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/nss' restorecon -v /var/lib/ipsec/* another work around is adding nssdir=/etc/ipsec.d in /etc/ipsec.conf as the migration copies the files so the NSS *. db files are still available in /etc/ipsec.d as well Just wanted to install a fresh Libreswan instance on a Fedora 33 server box, and it seems to affect new installations as well. The following solved the problem: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec(/.*)?' restorecon -vR /var/lib/ipsec |
Description of problem: $ sudo ipsec initnss ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied Version-Release number of selected component : libreswan-4.1-1 Additional info: I suspect the libreswan-4.1-1 spec file might need to be modified to do the following in the %install section : install -d -m 0700 %{_sharedstatedir}/ipsec/nss and a corresponding entry added to the %files section.