Description of problem: appears when I type "nmcli connection up vpn" vpn conn is this: [asus@localhost ~]$ nmcli connection show vpn474197033.opengw.net | grep -v -- '--' | grep -v default | grep -v unspec connection.id: hidden.opengw.net connection.uuid: cc9cc814-ddfd-4af6-9801-b08a51b9055d connection.type: vpn connection.autoconnect: no connection.autoconnect-priority: 0 connection.auth-retries: -1 connection.timestamp: 0 connection.read-only: no connection.gateway-ping-timeout: 0 connection.metered: yes ipv4.method: auto ipv4.dns-options: "" ipv4.dns-priority: 0 ipv4.route-metric: -1 ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: no ipv4.dhcp-send-hostname: yes ipv4.may-fail: yes ipv6.method: auto ipv6.dns-options: "" ipv6.dns-priority: 0 ipv6.route-metric: -1 ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.may-fail: yes ipv6.ip6-privacy: 0 (disabled) ipv6.addr-gen-mode: stable-privacy ipv6.dhcp-send-hostname: yes vpn.service-type: org.freedesktop.NetworkManager.l2tp vpn.data: gateway = hidden.opengw.net, ipsec-enabled = yes, ipsec-forceencaps = yes, ipsec-psk = password, password-flags = 1, user = user vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0 proxy.method: none proxy.browser-only: no SELinux is preventing sh from 'map' accesses on the file /etc/passwd. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sh should be allowed map access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source sh Source Path sh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages setup-2.12.1-1.fc29.noarch Policy RPM selinux-policy-3.14.2-37.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.13-300.fc29.x86_64 #1 SMP Wed Oct 10 17:22:50 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-10-13 12:31:19 EEST Last Seen 2018-10-13 12:31:20 EEST Local ID 89e547d4-5a14-4d9e-9f68-8bd35b5d6cf9 Raw Audit Messages type=AVC msg=audit(1539423080.676:382): avc: denied { map } for pid=7210 comm="sh" path="/etc/passwd" dev="sda3" ino=50369295 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: sh,l2tpd_t,passwd_file_t,file,map Version-Release number of selected component: selinux-policy-3.14.2-37.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.13-300.fc29.x86_64 type: libreport
commit e572e87d31ec56b9cdf69503eae4139037921110 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Sun Oct 28 20:03:49 2018 +0100 Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.