Bug 1337916 - SELinux prevents nm-fortisslvpn from opening a VPN tunnel
Summary: SELinux prevents nm-fortisslvpn from opening a VPN tunnel
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-20 13:05 UTC by Berend De Schouwer
Modified: 2016-11-10 03:29 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-191.20.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-10 03:29:27 UTC


Attachments (Terms of Use)
sealert that can be used to generate required selinux policy (1.94 KB, text/plain)
2016-05-20 13:05 UTC, Berend De Schouwer
no flags Details
generated policy (1.58 KB, application/octet-stream)
2016-05-20 13:07 UTC, Berend De Schouwer
no flags Details

Description Berend De Schouwer 2016-05-20 13:05:06 UTC
Created attachment 1159899 [details]
sealert that can be used to generate required selinux policy

Description of problem:

The Fortigate SSL VPN plugin for NetworkManager does not open a VPN tunnel.  It fails to complete due to SELinux policies


Version-Release number of selected component (if applicable):

Fedora 24 (Beta)
NetworkManager-fortisslvpn-1.2.2-1.fc24.x86_64
openfortivpn-1.1.4-1.fc24.x86_64
selinux-policy-3.13.1-185.fc24.noarch


How reproducible:

Always


Steps to Reproduce:

Requirement: a Fortigate VPN server

1. Configure a Forti SSL VPn
2. Click Connect (NetworkManager GUI)
3.


Actual results:

Fortigate SSL VPN fails.
Errors are reported in journalctl
SEAlert pops up


Expected results:

VPN tunnel is opened.


Additional info:

#127020

Comment 1 Berend De Schouwer 2016-05-20 13:07:07 UTC
Created attachment 1159900 [details]
generated policy

generated policy that fixes the problem on one machine

I've attached it in case there's more than one sealert that gets triggered.

Comment 2 Fedora Admin XMLRPC Client 2016-09-27 15:09:50 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Peter Selc 2016-10-28 19:39:39 UTC
The generated policy fixes the problem on Fedora 24 (latest updates) while connecting from network manager GUI to Fortigate via SSLVPN.

Comment 4 Fedora Update System 2016-11-04 12:10:55 UTC
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 5 Fedora Update System 2016-11-05 03:35:59 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 6 Fedora Update System 2016-11-10 03:29:27 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.