VPN connection stopped working some time last week. SELinux is now preventing L2TP connections from beeing established. Running ausearch -c 'addconn' --raw | audit2allow -M my-addconn allows connection to be established, but still triggers SELinux error alert. T SELinux is preventing addconn from getattr access on the file /run/nm-l2tp-ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/nm-l2tp-ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf default label should be var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/nm-l2tp-ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that addconn should be allowed getattr access on the nm-l2tp-ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'addconn' --raw | audit2allow -M my-addconn # semodule -X 300 -i my-addconn.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:l2tpd_var_run_t:s0 Target Objects /run/nm-l2tp- ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf [ file ] Source addconn Source Path addconn Port <Ukjent> Host yoga-900-fedora Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.24.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name yoga-900-fedora Platform Linux yoga-900-fedora 4.14.16-300.fc27.x86_64 #1 SMP Wed Jan 31 19:24:27 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-02-06 21:58:41 EST Last Seen 2018-02-06 21:58:57 EST Local ID bd81fd92-88cf-4c9b-8518-005e0cdab5e7 Raw Audit Messages type=AVC msg=audit(1517972337.513:555): avc: denied { getattr } for pid=13363 comm="addconn" path="/run/nm-l2tp-ipsec-64cd16ed-55b3-4f00-9b70-8a80ec9a5494.conf" dev="tmpfs" ino=214790 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:l2tpd_var_run_t:s0 tclass=file permissive=0 Hash: addconn,ipsec_t,l2tpd_var_run_t,file,getattr
I confirm that this is happening to me as well
I just tried to setup a L2TP on my Fedora 27 + Cinnamon desktop and experienced this also. My laptop is also running Fedora 27 + Cinnamon, but started as Fedora 25 and was upgrade to 26 and then 27 as they came out. It does not give me these errors. Every time I attempted to open the connections I get 14 alerts. Screenshot: https://i.imgur.com/2pnF3WB.png
selinux-policy-3.13.1-283.27.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
selinux-policy-3.13.1-283.27.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.