Description of problem: AVC denial happens shortly before the connection is established. SELinux is preventing nm-l2tp-service from using the 'sigkill' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nm-l2tp-service should be allowed sigkill access on processes labeled ipsec_mgmt_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nm-l2tp-service' --raw | audit2allow -M my-nml2tpservice # semodule -X 300 -i my-nml2tpservice.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:system_r:ipsec_mgmt_t:s0 Target Objects Unknown [ process ] Source nm-l2tp-service Source Path nm-l2tp-service Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-16 03:30:50 PDT Last Seen 2017-08-24 00:13:23 PDT Local ID d0b1e3db-c2d8-4e8c-99ef-37f32a6542ac Raw Audit Messages type=AVC msg=audit(1503558803.946:390): avc: denied { sigkill } for pid=5342 comm="nm-l2tp-service" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=process permissive=1 Hash: nm-l2tp-service,l2tpd_t,ipsec_mgmt_t,process,sigkill Version-Release number of selected component: selinux-policy-3.13.1-260.4.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.8-300.fc27.x86_64 type: libreport
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.