Description of problem: Generated when connecting to an L2TP VPN. The connection succeeds but this error happens. SELinux is preventing addconn from 'getattr' accesses on the file /run/nm-l2tp-ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/nm-l2tp-ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf default label should be var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/nm-l2tp-ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that addconn should be allowed getattr access on the nm-l2tp-ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'addconn' --raw | audit2allow -M my-addconn # semodule -X 300 -i my-addconn.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:l2tpd_var_run_t:s0 Target Objects /run/nm-l2tp- ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf [ file ] Source addconn Source Path addconn Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.24.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.15.6-300.fc27.x86_64 #1 SMP Mon Feb 26 18:43:03 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-11 10:39:05 +0330 Last Seen 2018-03-11 10:39:05 +0330 Local ID 376fd46c-94ac-4a72-a82b-d6ddf8a35ba1 Raw Audit Messages type=AVC msg=audit(1520752145.775:1999): avc: denied { getattr } for pid=11119 comm="addconn" path="/run/nm-l2tp-ipsec-56798339-a275-487a-a299-1d1d0a179e66.conf" dev="tmpfs" ino=2362496 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:l2tpd_var_run_t:s0 tclass=file permissive=1 Hash: addconn,ipsec_t,l2tpd_var_run_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-283.24.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.9-300.fc27.x86_64 type: libreport
selinux-policy-3.13.1-283.29.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2
selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2
selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.