Description of problem: libcap-ng-0.8.1-1 breaking ability connect to VPN (openconnect) via NM and some application starts launch slower Last good version: libcap-ng-0.8-1.fc34.x86_64 How reproducible: Just update libcap-ng to 0.8.1-1 version and try connect to VPN (openconnect) via NM GUI.
Proposed as a Blocker and Freeze Exception for 34-beta by Fedora user mikhail using the blocker tracking app because: Breaks ability connect to VPN (openconnect) via NM GUI. It base system network functionality.
Is this package that is not working openconnect? I'd like to code review it to see how it should be fixed. That's where the real problem is. This update to libcap-ng just exposed the problem.
Demonstration: https://youtu.be/RFZX6jxr0E4
Thanks, but I'm needing more info. Was anything left in syslog saying there was a problem? I'm trying to find the failing code. Neither openconnect or NetworkManager-openconnect link against libcap-ng. So, I'm still looking for the code that is broken.
With libcap-ng-0.8.1-2.fc34.x86_64 this issue not happens anymore, so I close the issue.
Per #c5, closing.
This really isn't fixed. I have added a patch that makes Fedora's libcap-ng different than upstream in order to hide bugs. So far, I have no analysis that shows where the actual bug is. See comment #4. As soon as I remove the patch, this will break again. Whoever the package maintainer is for NetworkManager or OpenConnect needs to join the conversation so this can get fixed and I can safely remove the libcap-ng patch. I'm also unsure which package has the bug. All I know is that the bug does not lie with libcap-ng, it simply exposes the bug.
Then it can't block release, since there is no user-visible issue as long as we have the patch. CCing thaller for NM and David Woodhouse for openconnect.
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
CCing a couple more NM folks. Steve, I assume the situation here is unchanged?
libcap-ng is still compiled to log that something is wrong without returning an error. At some point we need to turn this on because it was reported that not enforcing this can lead to security issues if the app should have quit with an error. Nearly everything is fixed at this point. But I don't know if NM has fixed their code.
Steve, what should be fixed in NM code? It's not clear to me from the comments above. Do we have any NM logs for the problem? If possible, it would be better at trace level, that is, captured when trying to activate the VPN after running "nmcli general logging level trace" as root. Note that logs can contain confidential information, so please sanitize them before attaching.
I don't know what component is causing the message in the original report. I never got an answer. But anyone should be able to grep on libcap-ng in /var/log/messages to see if you have any issues. Looking at the NM code, it appears to use libcap for capabilities instead of libcap-ng. However, Searching the openconnect code for capng functions turns up nothing. I'm at a loss as to what component is having a problem or if it ever existed. If we had the syslog message, it would all be clear (and fixed by now).
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed.