Cisco AnyConnect VPN on Fedora 34

Has anyone successfully run Cisco AnyConnect VPN with Fedora 34? Installation of 4.8.02045 (which works on Fedora 33) seems to go okay, but ends with:

Job for vpnagentd.service failed because the control process exited with error code.

Doing a “journalctl -xeu vpnagentd.service” yields:

vpnagentd.service: Failed to locate executable /opt/cisco/anyconnect/bin/load_tun.sh: Permission denied
vpnagentd.service: Control process exited, code=exited, status=203/EXEC
vpnagentd.service: Failed with result 'exit-code'.
Failed to start Cisco AnyConnect Secure Mobility Client Agent.

However, the file /opt/cisco/anyconnect/bin/load_tun.sh exists, and seems to have the right permissions…if you run it as root, it creates the tunnel. However, even with the tunnel in place you still get 203/EXEC errors when trying to start the vpnagentd.service.

When you start the client from the command line (/opt/cisco/anyconnect/bin/vpnui), the following message appears in the console:

Gtk-Message: 16:32:32.727: Failed to load module "pk-gtk-module"

I wasn’t expecting anything with the vpnagentd.service down, but the GUI fails to draw properly at all and eventually quits after this. So there seems to be multiple issues.

I also tried 4.9.06037, and versions going back to 4.5, all with the same result. Any help would be appreciated!

SELinux perhaps? Maybe check the logs by running the following shortly after the service fails:

# aureport -a -ts recent
aureport -a -ts recent

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
<no events of interest were found>

But I did find this in the system log:

audit[57745]: AVC avc:  denied  { execute } for  pid=57745 comm="(d_tun.sh)" name="load_tun.sh" dev="dm-0" ino=834444 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0

I’ll see if I can make that go away, good idea.

audit2why seems to indicate that you will have to generated a type enforcement rule to allow that access:

$ echo "audit[57745]: AVC avc:  denied  { execute } for  pid=57745 comm="(d_tun.sh)" name="load_tun.sh" dev="dm-0" ino=834444 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0" | audit2why
audit[57745]: AVC avc:  denied  { execute } for  pid=57745 comm="(d_tun.sh)" name="load_tun.sh" dev="dm-0" ino=834444 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Here is some documentation for audit2allow: 10.3.8. Allowing Access: audit2allow

2 Likes

Thanks for the link. I did generate a TE rule for that, which got my farther down the process…with a whole bunch of other errors, but the service is running, and the UI comes up as expected - I am successfully able to connect via VPN!

I can’t believe I didn’t think of SELinux - it’s odd that the permissions didn’t get set right in the first place though. I didn’t see any SELinux failures when the installer was running, but the SELinux policy in place for /opt/cisco/ is definitely not the same as it was in Fedora 33 and 32.

I have had multiple issues trying to run Cisco AnyConnect software. As a replacement I use the default gnome settings (Settings>Network>Add VPN) to add a VPN using the VPN multi-protocol which is compatible with this kind of VPNs, I think this is easier, more reliable and better integrated in to the gnome environment.

You will see many options there, but you only need to fill in the gateway and you can leave everything else empty.

I hope this helps.

1 Like

I was happily using GNOME’s VPN, which I believe is NetworkManager-OpenConnect, until we switched to requiring MFA on our VPN, and it turns out that GNOME is unable to handle this, at least with our setup. I miss being able to single-click the VPN on and off again whenever I wanted, instead of the ordeal it is to run Cisco AnyConnect! I’ve found Cisco to be much less reliable in general, so I would urge people to try the built-in VPN first before resorting to AnyConnect.

2 Likes