I cannot successfully connect to a l2tp vpn if selinux is enabled. If I enable permissive mode, then it works. I do see several (5) selinux warnings upon every attempt to connect. sealert 1: SELinux is preventing sh from read access on the file passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects passwd [ file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-16 16:22:04 CDT Last Seen 2018-04-16 16:22:06 CDT Local ID 1d7a2c7b-5e2d-43c2-84f7-6fe1b6b9d592 Raw Audit Messages type=AVC msg=audit(1523913726.338:530): avc: denied { read } for pid=7544 comm="sh" name="passwd" dev="sda4" ino=3670350 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Hash: sh,l2tpd_t,sssd_public_t,file,read sealert 2: SELinux is preventing sh from open access on the file /var/lib/sss/mc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed open access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/mc/passwd [ file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages sssd-common-1.16.1-2.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-16 16:22:04 CDT Last Seen 2018-04-16 16:22:06 CDT Local ID f4c4e3c3-bd34-45a3-baf8-51c2f6407cb9 Raw Audit Messages type=AVC msg=audit(1523913726.338:531): avc: denied { open } for pid=7544 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda4" ino=3670350 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Hash: sh,l2tpd_t,sssd_public_t,file,open sealert 3: SELinux is preventing sh from getattr access on the file /var/lib/sss/mc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/mc/passwd [ file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages sssd-common-1.16.1-2.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-16 16:22:04 CDT Last Seen 2018-04-16 16:22:06 CDT Local ID 13180c99-d53d-4313-99a0-57a0a280041b Raw Audit Messages type=AVC msg=audit(1523913726.338:532): avc: denied { getattr } for pid=7544 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda4" ino=3670350 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Hash: sh,l2tpd_t,sssd_public_t,file,getattr sealert 5: SELinux is preventing sh from map access on the file /var/lib/sss/mc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed map access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/mc/passwd [ file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages sssd-common-1.16.1-2.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-16 16:22:04 CDT Last Seen 2018-04-16 16:22:06 CDT Local ID 058aaf50-132c-4399-8d22-c073523287f0 Raw Audit Messages type=AVC msg=audit(1523913726.339:533): avc: denied { map } for pid=7544 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda4" ino=3670350 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Hash: sh,l2tpd_t,sssd_public_t,file,map sealert 5: SELinux is preventing sh from write access on the sock_file nss. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed write access on the nss sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects nss [ sock_file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-16 16:22:04 CDT Last Seen 2018-04-16 16:22:06 CDT Local ID f33a42a3-4d1b-4c1b-94ce-2f74f8a864ba Raw Audit Messages type=AVC msg=audit(1523913726.339:534): avc: denied { write } for pid=7544 comm="sh" name="nss" dev="sda4" ino=3801095 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Hash: sh,l2tpd_t,sssd_var_lib_t,sock_file,write
Triaging to f27, that's where I'm seeing this
I'm changing the component of this bug report from NetworkManager-l2tp to selinux-policy. For L2TP/IPsec connections, the only shell script NetworkManager-l2tp directly uses is /usr/sbin/ipsec from the libreswan package.
selinux-policy-3.13.1-283.34.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa26da1777
selinux-policy-3.13.1-283.34.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.