When there is an unclean shutdown of the VPN SELinux prevents killing of vpnc process. selinux-policy-3.3.1-95.fc9.noarch selinux-policy-targeted-3.3.1-95.fc9.noarch NetworkManager-0.7.0-0.11.svn4175.fc9.i386 NetworkManager-gnome-0.7.0-0.11.svn4175.fc9.i386 NetworkManager-glib-0.7.0-0.11.svn4175.fc9.i386 NetworkManager-vpnc-0.7.0-0.11.svn4175.fc9.i386 vpnc-0.5.1-6.fc9.i386 sealert output: Oct 15 00:13:06 l3f1199 setroubleshoot: SELinux is preventing nm-vpnc-service (NetworkManager_t) "signull" to <Unknown> (vpnc_t). For complete SELinux messages. run sealert -l 97e371ff-dd92-4022-bb54-0265cc9b8a3a Summary: SELinux is preventing nm-vpnc-service (NetworkManager_t) "signull" to <Unknown> (vpnc_t). Detailed Description: SELinux denied access requested by nm-vpnc-service. It is not expected that this access is required by nm-vpnc-service and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects None [ process ] Source nm-vpnc-service Source Path /usr/libexec/nm-vpnc-service Port <Unknown> Host l3f1199 Source RPM Packages NetworkManager-vpnc-0.7.0-0.11.svn4175.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-95.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name l3f1199 Platform Linux l3f1199 2.6.26.5-45.fc9.i686 #1 SMP Sat Sep 20 03:45:00 EDT 2008 i686 i686 Alert Count 2 First Seen Tue Oct 14 22:59:08 2008 Last Seen Wed Oct 15 00:13:06 2008 Local ID 97e371ff-dd92-4022-bb54-0265cc9b8a3a Line Numbers Raw Audit Messages host=l3f1199 type=AVC msg=audit(1224018786.173:55): avc: denied { signull } for pid=13789 comm="nm-vpnc-service" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process host=l3f1199 type=SYSCALL msg=audit(1224018786.173:55): arch=40000003 syscall=37 success=no exit=-13 a0=35f1 a1=0 a2=35f1 a3=bf9dfedc items=0 ppid=7505 pid=13789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-vpnc-service" exe="/usr/libexec/nm-vpnc-service" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Dan: relevant for 5.3, f8, f9, and rawhide... the same code is in the pptp and openvpn plugins, let me know if you need more details
Fixed in selinux-policy-3.3.1-103.fc9.noarch Fixed in selinux-policy-3.0.8-121.fc8 Fixed in selinux-policy-2.4.6-166.el5 Fixed in selinux-policy-3.5.12-2.fc10.noarch