Bug 924840 - NetworkManager fails to initiate an L2tp/IPsec PSK connection with SELinux denials
Summary: NetworkManager fails to initiate an L2tp/IPsec PSK connection with SELinux de...
Keywords:
Status: CLOSED DUPLICATE of bug 887674
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-l2tp
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ivan Romanov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-22 15:36 UTC by darton
Modified: 2013-03-23 08:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-23 08:08:48 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description darton 2013-03-22 15:36:52 UTC 
Description of problem:

Network manager fails to establish an L2tp/IPsec PSK client connection. The log contains avc: denied messages.


Version-Release number of selected component (if applicable):

NetworkManager.x86_64                   1:0.9.8.0-1.fc18
NetworkManager-l2tp.x86_64              0.9.6-2.fc18
selinux-policy.noarch                   3.11.1-86.fc18
selinux-policy-targeted.noarch          3.11.1-86.fc18

How reproducible:

always

Steps to Reproduce:
1. Use regular NetworkManager GUI to create an l2tp client connection. On VPN tab, click "IPsec Settings..." button, check "Enable IPsec tunnel to L2TP host" box, enter pre-shared key.
2. Save the connection.
3. Start the connection.
  
Actual results:

NetworkManager fails with the following in /var/log/messages:

Mar 22 18:37:33 mysystem NetworkManager[672]: <info> Starting VPN service 'l2tp'...
Mar 22 18:37:33 mysystem NetworkManager[672]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 1564
Mar 22 18:37:33 mysystem NetworkManager[672]: <info> VPN service 'l2tp' appeared; activating connections
Mar 22 18:37:33 mysystem NetworkManager[672]: <info> VPN plugin state changed: starting (3)
Mar 22 18:37:33 mysystem kernel: [  552.972740] type=1400 audit(1363963053.616:4): avc:  denied  { name_bind } for  pid=1564 comm="nm-l2tp-service" src=1701 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:l2tp_port_t:s0 tclass=udp_socket
Mar 22 18:37:33 mysystem kernel: [  553.034018] type=1400 audit(1363963053.678:5): avc:  denied  { rename } for  pid=1564 comm="nm-l2tp-service" name="ipsec.secrets" dev="dm-1" ino=394807 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file
Mar 22 18:37:33 mysystem NetworkManager[672]: <info> VPN connection 'test l2tp' (Connect) reply received.
Mar 22 18:37:33 mysystem NetworkManager[672]: <warn> VPN connection 'test l2tp' failed to connect: 'Cannot save /etc/ipsec.secrets'.
Mar 22 18:37:33 mysystem NetworkManager[672]: <info> Policy set 'eth1' (em1) as default for IPv4 routing and DNS.
Mar 22 18:37:33 mysystem NetworkManager[672]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Mar 22 18:37:38 mysystem NetworkManager[672]: <info> VPN service 'l2tp' disappeared

Expected results:

Either VPN connection is being established, or Network Manager complains about some client settings.

Additional info:

Nothing is written to audit.log, "ausearch -m avc" yields nothing.

There is a similar-looking issue opened for Fedora 17, though I'm not sure if these are the same or not: https://bugzilla.redhat.com/show_bug.cgi?id=887674
Comment 1 Ivan Romanov 2013-03-23 08:08:48 UTC 
I think is the same. Anyway I haven't any SELinux and IPSec experience to fix this. Feel to free provide a patch to resolve this issue. I will forward this issue to upstream. But in previous time he couldn't to help.

*** This bug has been marked as a duplicate of bug 887674 ***
Note You need to log in before you can comment on or make changes to this bug.