Description of problem: service strongswan-swanctl start Fails to read /etc/strongswan/swanctl/*/*.der. Strongswan's certificate loading routine unconditionally calls chunk_map on each certificate, which mmap's the file contents, which selinux denies: allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr ioctl lock open read }; Adding "map" permission allows strongswan to start correctly. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.4-43.fc31.noarch How reproducible: Always
commit 2e726f1df5b52f95a101a26e4b66dbc9266565b0 Author: Lukas Vrabec <lvrabec> Date: Fri Jan 10 13:25:14 2020 +0100 Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files Resolves: rhbz#1787482
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.