Description of problem: $ sudo ipsec initnss ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied Version-Release number of selected component : libreswan-4.1-1 Additional info: I suspect the libreswan-4.1-1 spec file might need to be modified to do the following in the %install section : install -d -m 0700 %{_sharedstatedir}/ipsec/nss and a corresponding entry added to the %files section.
I have the same issue in Fedora 23. This is workaround: mkdir -p /var/lib/ipsec/nss
FEDORA-2020-466de9b5c7 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-a7463f4ba8 has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-8159986cf3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3
FEDORA-2020-2be8ee9435 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435
FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2be8ee9435` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2be8ee9435 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8159986cf3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8159986cf3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8159986cf3 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-2be8ee9435 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Hi, Today I installed an update of libreswan that appeared in the stable repository of Fedora 32. The dnf history shows that I updated: dnf history info 192 Transaction ID : 192 Begin time : Thu 05 Nov 2020 09:06:54 AM CET Begin rpmdb : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30 End time : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds) End rpmdb : 2122:680ce7e7129ec17a740b01fca288422a15d1db86 User : Peter Levart <peter> Return-Code : Success Releasever : Command Line : Comment : Packages Altered: Upgrade libreswan-4.1-2.fc32.x86_64 @updates Upgraded libreswan-3.32-2.fc32.x86_64 @@System And as a result, my L2TP vpn connection is not working any more. I see the following in the journalctl: Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied I checked and the directory is there with the following permissions: drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47 /var/lib/ipsec/nss I had to downgrade the package (and I got downgraded to the initial F32 version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in the repos).
(In reply to Peter Levart from comment #10) > Hi, > > Today I installed an update of libreswan that appeared in the stable > repository of Fedora 32. The dnf history shows that I updated: > > dnf history info 192 > Transaction ID : 192 > Begin time : Thu 05 Nov 2020 09:06:54 AM CET > Begin rpmdb : 2122:e7a8e4d12bd4f90f14224e715bd4a9357a07bb30 > End time : Thu 05 Nov 2020 09:06:55 AM CET (1 seconds) > End rpmdb : 2122:680ce7e7129ec17a740b01fca288422a15d1db86 > User : Peter Levart <peter> > Return-Code : Success > Releasever : > Command Line : > Comment : > Packages Altered: > Upgrade libreswan-4.1-2.fc32.x86_64 @updates > Upgraded libreswan-3.32-2.fc32.x86_64 @@System > > And as a result, my L2TP vpn connection is not working any more. I see the > following in the journalctl: > > Nov 05 09:23:49 sun ipsec[7595]: ERROR: destination directory > "/var/lib/ipsec/nss" is missing or permission denied > > I checked and the directory is there with the following permissions: > > drwx------. 2 root root system_u:object_r:var_lib_t:s0 6 Oct 26 15:47 > /var/lib/ipsec/nss > > I had to downgrade the package (and I got downgraded to the initial F32 > version of the package: 3.30-1.fc32, since 3.32-2 is no longer available in > the repos). Same here, VPN stopped working, same error message, dir exists, downgraded to 3.30-1.fc32 and VPN worked again.
I thought my Fedora 32 system was affected by this issue, but as mentioned in comments in #10 and #11, the directory exists. It looks like a SELinux problem, because it goes away after `setenforce 0` (just for testing). Unfortunately I have no time to gather more information and file a new bug. I hope this comment helps a little bit anyway.
There is an existing Fedora 33 "libreswan moved NSS directory requires selinux-policy change" bug which shows the required selinux policy addition: https://bugzilla.redhat.com/show_bug.cgi?id=1883666 Fedora 32 probably should be included with that bug.
As Douglas said, that is the same problem. For now: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec(/.*)?' restorecon -v /var/lib/ipsec/* Solved the problem for me.
@Remco: according to regex in semanage, you should probably not forget to relable the /var/lib/ipsec dir itself too? restorecon -v /var/lib/ipsec/* restorecon -v /var/lib/ipsec ...or should the regex not include the ipsec dir but just the content of it?: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/.+' Either way fixes this particular problem, but which is more correct?
@Peter: you are right, just copied it from the other thread and the first time i ever used semanage command...i'm more familiar with Slackware where SELinux is not used. I think that the regex should not include the whole ipsec folder and not even all subfolders, but only the nss subdir, since the keys are there. Although the /var/lib/ipsec is empty by me, it could contain contents in the future. I now used: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/nss' restorecon -v /var/lib/ipsec/*
another work around is adding nssdir=/etc/ipsec.d in /etc/ipsec.conf as the migration copies the files so the NSS *. db files are still available in /etc/ipsec.d as well
Just wanted to install a fresh Libreswan instance on a Fedora 33 server box, and it seems to affect new installations as well. The following solved the problem: semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec(/.*)?' restorecon -vR /var/lib/ipsec