Bug 1895436 - libreswan moved NSS directory requires selinux-policy change
Summary: libreswan moved NSS directory requires selinux-policy change
Status: CLOSED DUPLICATE of bug 1883666
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On: 1883666
TreeView+ depends on / blocked
Reported: 2020-11-06 16:44 UTC by Paul Wouters
Modified: 2020-12-07 18:44 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1883666
Last Closed: 2020-12-07 18:44:41 UTC
Type: Bug

Attachments (Terms of Use)

Description Paul Wouters 2020-11-06 16:44:51 UTC
+++ This bug was initially created as a clone of Bug #1883666 +++

As of libreswan 4.0, the NSS database used is moved from /etc/ipsec.d to /var/lib/nss/ipsec/

This requires a selinux policy addition:

/var/lib/ipsec(/.*)?       gen_context(system_u:object_r:ipsec_key_file_t,s0)

--- Additional comment from Remco Luitwieler on 2020-11-06 06:02:28 UTC ---

Fedora 32 has the same problem

--- Additional comment from Stuart on 2020-11-06 11:05:55 UTC ---

I'm also experiencing this on Fedora 32 after downgrading(reinstalling) from 33

--- Additional comment from Paul Wouters on 2020-11-06 13:38:39 UTC ---

as a workaround, you can specify nssdir=/etc/ipsec.d   in /etc/ipsec.conf  in "config setup"

--- Additional comment from Stuart on 2020-11-06 13:44:16 UTC ---

Thats good to know. I've already posted this on the libswan's github tracker and a kind sole there gave me the following SELinux workaround:

semanage fcontext --add --type ipsec_key_file_t '/var/lib/ipsec(/.*)?'
restorecon -rv /var/lib/ipsec

And to undo after the package is fixed

semanage fcontext --delete --type ipsec_key_file_t '/var/lib/ipsec(/.*)?'

Comment 1 Zdenek Pytela 2020-11-06 18:47:03 UTC
Waiting for the fix being agreed on in

Comment 2 Zdenek Pytela 2020-12-07 18:44:41 UTC
The fix should be a part of the next package build.

*** This bug has been marked as a duplicate of bug 1883666 ***

Note You need to log in before you can comment on or make changes to this bug.