Description of problem: Created an IPsec VPN via gnome network control panel. SELinux is preventing charon-nm from 'map' accesses on the file /etc/pki/tls/certs/Makefile. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that charon-nm should be allowed map access on the Makefile file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm # semodule -X 300 -i my-charonnm.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:cert_t:s0 Target Objects /etc/pki/tls/certs/Makefile [ file ] Source charon-nm Source Path charon-nm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages openssl-1.1.0g-1.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.15-300.fc27.x86_64 #1 SMP Tue Nov 21 21:10:22 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-11-30 14:27:12 PST Last Seen 2017-11-30 14:27:12 PST Local ID f9b61f19-e092-4979-a6b5-da6a50a53d55 Raw Audit Messages type=AVC msg=audit(1512080832.551:304): avc: denied { map } for pid=17101 comm="charon-nm" path="/etc/pki/tls/certs/Makefile" dev="dm-1" ino=400186 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 Hash: charon-nm,ipsec_t,cert_t,file,map Version-Release number of selected component: selinux-policy-3.13.1-283.17.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.15-300.fc27.x86_64 type: libreport
It's not just the Makefile, although fixing for that will fix for the rest as well: Nov 30 14:27:12 localhost.localdomain audit[17101]: AVC avc: denied { map } for pid=17101 comm="charon-nm" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-1" ino=394791 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 Nov 30 14:27:12 localhost.localdomain audit[17101]: AVC avc: denied { map } for pid=17101 comm="charon-nm" path="/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" dev="dm-1" ino=394787 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 Nov 30 14:27:12 localhost.localdomain audit[17101]: AVC avc: denied { map } for pid=17101 comm="charon-nm" path="/etc/pki/tls/certs/Makefile" dev="dm-1" ino=400186 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 Reproducing is pretty easy: just open gnome network settings, add a new "IPsec/IKEv2 (strongswan)" VPN, and in my case, pick certifcate/ssh-agent, but it looks like this is going to happen regardless of how you configure the client.
I also have the same issue accessing a gateway certificate located in ~/.cert despite correct labelling of the certificate. In fact this certificate wasn't in ~/.cert it was in ~/ but I moved it there following the advice of a similar bug report 2nd November. Now.. this *was* working OK until "recently" so I downgraded selinux-policy thinking this to be the breaking update, however this didn't make it all start working again. I got Networkmanager-strongswan to connect again by following the advice from 'catchall' but not sure if this is the correct solution long term?: SELinux is preventing charon-nm from map access on the file /home/robert/.cert/gatewaycert.pem. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that charon-nm should be allowed map access on the gatewaycert.pem file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.