Description of problem: on FC26, with strongswan-5.5.3, while starting strongswan Tried both with the same effect: 1. under regular user with sudo systemctl start strongswan the user has sudoers rights to run systemctl 2. under root systemctl start strongswan Running strongswan from command line as root works well. SELinux is preventing starter from 'execute_no_trans' accesses on the file /usr/libexec/strongswan/charon. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that starter should be allowed execute_no_trans access on the charon file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'starter' --raw | audit2allow -M my-starter # semodule -X 300 -i my-starter.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:ipsec_exec_t:s0 Target Objects /usr/libexec/strongswan/charon [ file ] Source starter Source Path starter Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages strongswan-5.5.3-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-259.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.8-300.fc26.x86_64 #1 SMP Thu Jun 29 20:09:48 UTC 2017 x86_64 x86_64 Alert Count 77 First Seen 2017-07-05 16:38:16 CEST Last Seen 2017-07-05 16:45:28 CEST Local ID 4024b33c-c595-4bbe-9a0f-df454836f4e5 Raw Audit Messages type=AVC msg=audit(1499265928.672:653): avc: denied { execute_no_trans } for pid=27715 comm="starter" path="/usr/libexec/strongswan/charon" dev="dm-2" ino=202306635 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file permissive=0 Hash: starter,ipsec_t,ipsec_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.8-300.fc26.x86_64 type: libreport
Description of problem: systemctl start strongswan Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.8-300.fc26.x86_64 type: libreport
This bug is duplicating 1444607 from April 23rd.
Description of problem: When strongswan was starting and establishing a tunnel. Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.8-300.fc26.x86_64 type: libreport
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.