Hide Forgot
This is an update to #1183490 . The problem still exists, with the exact same error massage Description of problem: Selinux prevents charon/strongswan from doing its job. I tried to use Networkmanager to open a tunnel, this fails. Version-Release number of selected component (if applicable): # dnf info selinux-policy Installed Packages Name : selinux-policy Arch : noarch Epoch : 0 Version : 3.13.1 Release : 158.6.fc23 Size : 18 k Repo : @System From repo : updates How reproducible: Every time Steps to Reproduce: 1. Try to create a tunnel (with NetworkManager). Additional info: SELinux is preventing charon-nm from 'read, write' accesses on the chr_file tun. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that charon-nm should be allowed read write access on the tun chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep charon-nm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:tun_tap_device_t:s0 Target Objects tun [ chr_file ] Source charon-nm Source Path charon-nm Port <Unknown> Host thinki Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.6.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name thinki Platform Linux thinki 4.5.0-0.rc4.git2.2.fc24.x86_64 #1 SMP Thu Feb 18 17:54:32 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-02-24 20:11:29 CET Last Seen 2016-02-24 20:11:29 CET Local ID 56622ea4-4c91-44e1-a88f-5328fd408795 Raw Audit Messages type=AVC msg=audit(1456341089.643:1979): avc: denied { read write } for pid=24422 comm="charon-nm" name="tun" dev="devtmpfs" ino=1308 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0 Hash: charon-nm,ipsec_t,tun_tap_device_t,chr_file,read,write
commit 47e8b4aac6c1ac0333508cb680f0d4b32dcf9ee4 Author: Lubomir Rintel <lkundrak> Date: Wed Oct 21 19:38:36 2015 +0200 ipsec: fix stringSwan charon-nm StrongSwan has an IPSec IKE daemon and the NetworkManager plugin in the same binary. They don't split it into a mgmt daemon and actual IPSec daemon.
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.