Bug 1889538 - libreswan's /var/lib/ipsec/nss missing
Summary: libreswan's /var/lib/ipsec/nss missing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libreswan
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-19 22:47 UTC by Douglas Kosovic
Modified: 2020-11-06 13:43 UTC (History)
6 users (show)

Fixed In Version: libreswan-4.1-2.fc34 libreswan-4.1-2.eln105 libreswan-4.1-2.fc33 libreswan-4.1-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-26 14:37:14 UTC
Type: Bug


Attachments (Terms of Use)

Description Douglas Kosovic 2020-10-19 22:47:41 UTC
Description of problem:

$ sudo ipsec initnss
ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied



Version-Release number of selected component : libreswan-4.1-1


Additional info:

I suspect the libreswan-4.1-1 spec file might need to be modified to do the following in the %install section :

install -d -m 0700 %{_sharedstatedir}/ipsec/nss

and a corresponding entry added to the %files section.

Comment 1 Dandim 2020-10-26 11:52:52 UTC
I have the same issue in Fedora 23.
This is workaround: mkdir -p /var/lib/ipsec/nss

Comment 2 Fedora Update System 2020-10-26 14:37:14 UTC
FEDORA-2020-466de9b5c7 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2020-10-26 14:49:02 UTC
FEDORA-2020-a7463f4ba8 has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2020-10-26 15:00:35 UTC
FEDORA-2020-8159986cf3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3

Comment 5 Fedora Update System 2020-10-26 15:00:53 UTC
FEDORA-2020-2be8ee9435 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435

Comment 6 Fedora Update System 2020-10-27 02:22:57 UTC
FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2be8ee9435`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-10-27 02:37:30 UTC
FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8159986cf3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2020-11-04 03:01:36 UTC
FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-11-04 04:01:35 UTC
FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Peter Levart 2020-11-05 08:51:36 UTC
Hi,

Today I installed an update of libreswan that appeared in the stable repository of Fedora 32. The dnf history shows that I updated:

dnf history info 192
Transaction ID : 192
Begin time     : Thu 05 Nov 2020 09:06:54 AM CET
Begin rpmdb    : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30
End time       : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds)
End rpmdb      : 2122:680ce7e7129ec17a740b01fca288422a15d1db86
User           : Peter Levart <peter>
Return-Code    : Success
Releasever     : 
Command Line   : 
Comment        : 
Packages Altered:
    Upgrade  libreswan-4.1-2.fc32.x86_64  @updates
    Upgraded libreswan-3.32-2.fc32.x86_64 @@System

And as a result, my L2TP vpn connection is not working any more. I see the following in the journalctl:

Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied

I checked and the directory is there with the following permissions:

drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47 /var/lib/ipsec/nss

I had to downgrade the package (and I got downgraded to the initial F32 version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in the repos).

Comment 11 Remco Luitwieler 2020-11-05 13:51:37 UTC
(In reply to Peter Levart from comment #10)
> Hi,
> 
> Today I installed an update of libreswan that appeared in the stable
> repository of Fedora 32. The dnf history shows that I updated:
> 
> dnf history info 192
> Transaction ID : 192
> Begin time     : Thu 05 Nov 2020 09:06:54 AM CET
> Begin rpmdb    : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30
> End time       : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds)
> End rpmdb      : 2122:680ce7e7129ec17a740b01fca288422a15d1db86
> User           : Peter Levart <peter>
> Return-Code    : Success
> Releasever     : 
> Command Line   : 
> Comment        : 
> Packages Altered:
>     Upgrade  libreswan-4.1-2.fc32.x86_64  @updates
>     Upgraded libreswan-3.32-2.fc32.x86_64 @@System
> 
> And as a result, my L2TP vpn connection is not working any more. I see the
> following in the journalctl:
> 
> Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory
> "/var/lib/ipsec/nss" is missing or permission denied
> 
> I checked and the directory is there with the following permissions:
> 
> drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47
> /var/lib/ipsec/nss
> 
> I had to downgrade the package (and I got downgraded to the initial F32
> version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in
> the repos).

Same here, VPN stopped working, same error message, dir exists, downgraded to 3.30-1.fc32 and VPN worked again.

Comment 12 Vlado Potisk 2020-11-05 17:50:17 UTC
I thought my Fedora 32 system was affected by this issue, but as mentioned in comments in #10 and #11, the directory exists.

It looks like a SELinux problem, because it goes away after `setenforce 0` (just for testing).

Unfortunately I have no time to gather more information and file a new bug. I hope this comment helps a little bit anyway.

Comment 13 Douglas Kosovic 2020-11-06 01:37:14 UTC
There is an existing Fedora 33 "libreswan moved NSS directory requires selinux-policy change" bug which shows the required selinux policy addition:
https://bugzilla.redhat.com/show_bug.cgi?id=1883666

Fedora 32 probably should be included with that bug.

Comment 14 Remco Luitwieler 2020-11-06 06:03:30 UTC
As Douglas said, that is the same problem.

For now:
semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec(/.*)?'
restorecon -v /var/lib/ipsec/*

Solved the problem for me.

Comment 15 Peter Levart 2020-11-06 10:37:56 UTC
@Remco: according to regex in semanage, you should probably not forget to relable the /var/lib/ipsec dir itself too?

restorecon -v /var/lib/ipsec/*
restorecon -v /var/lib/ipsec

...or should the regex not include the ipsec dir but just the content of it?:

semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/.+'


Either way fixes this particular problem, but which is more correct?

Comment 16 Remco Luitwieler 2020-11-06 11:00:20 UTC
@Peter: you are right, just copied it from the other thread and the first time i ever used semanage command...i'm more familiar with Slackware where SELinux is not used.

I think that the regex should not include the whole ipsec folder and not even all subfolders, but only the nss subdir, since the keys are there. Although the /var/lib/ipsec is empty by me, it could contain contents in the future.

I now used:
semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/nss'
restorecon -v /var/lib/ipsec/*

Comment 17 Paul Wouters 2020-11-06 13:43:51 UTC
another work around is adding nssdir=/etc/ipsec.d in /etc/ipsec.conf   as the migration copies the files so the NSS *. db files are still available in /etc/ipsec.d as well


Note You need to log in before you can comment on or make changes to this bug.