Fedora 29 Networkmanager Openssh VPN

Hi,
I am using Networkmanager to configure an openssh vpn. When the vpn is activated, it generates an selinux denial message, but the sealert system does not detect the denial, and offer to troubleshoot with tips on how to fix it.
The error is

$ journalctl -S 17:02 -u NetworkManager
-- Logs begin at Wed 2018-11-21 11:14:15 AEST, end at Thu 2019-06-13 17:02:19 AEST. --
Jun 13 17:02:16 wren.nixtec.net NetworkManager[2959]: <info>  [1560409336.4504] audit: op="connection-activate" uuid="75eb7544-28f3-4b42-9e93-feac92bfd66a" name="VenusSSHVPN" pid=4127 uid=1000 result="success"
Jun 13 17:02:16 wren.nixtec.net NetworkManager[2959]: <info>  [1560409336.4666] vpn-connection[0x5585c35140e0,75eb7544-28f3-4b42-9e93-feac92bfd66a,"VenusSSHVPN",0]: Started the VPN service, PID 15597
Jun 13 17:02:16 wren.nixtec.net NetworkManager[2959]: <info>  [1560409336.4847] vpn-connection[0x5585c35140e0,75eb7544-28f3-4b42-9e93-feac92bfd66a,"VenusSSHVPN",0]: Saw the service appear; activating connection
Jun 13 17:02:16 wren.nixtec.net NetworkManager[2959]: <error> [1560409336.4875] vpn-connection[0x5585c35140e0,75eb7544-28f3-4b42-9e93-feac92bfd66a,"VenusSSHVPN",0]: plugin NeedSecrets request #1 failed: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.18" (uid=0 pid=2959 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply="0" destination=":1.892" (uid=0 pid=15597 comm="/usr/libexec/nm-ssh-service --bus-name org.freedes" label="system_u:system_r:NetworkManager_ssh_t:s0")

Thanks

1 Like

Hello @rmb and welcome to the community. Please do go over the introductory posts in the #start-here category if you have not yet had a chance to do so. They include useful information on using this platform better/effectively.

Just a simple question: do you have setroubleshoot installed?

Yes, I normally use it to fix selinux problems. Last problem shown below, when seting up openvpn, and the CA file was in the “wrong” folder