On 11/8/18 5:54 PM, Paul Smith wrote: > On Fri, Nov 9, 2018 at 1:46 AM Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote: >> >>>>>> If disabling SELinux fixes the connection issue, I'd sure-as-tootin' >>>>>> file a bugzilla about it. >>>>> I need to remove this phrase from my "it goes without saying" list. :-) >>>>> >>>>> As I've said before "I" haven't had an case where "Permissive" didn't reveal the issue. >>>>> >>>>> I have been bitten by cases where modules are marked "Do Not Audit" such that an selinux >>>>> AVC blocks an operation but does so silently. >>>> And I've hit those too, but again, there are certain things that >>>> "permissive" still blocks. You get the denial but it still blocks. I'll >>>> be interested in seeing if a full SELinux disable permits the thing to >>>> work. That'd prove it one way or another. >>> >>> Yes, as I pointed out elsewhere, a bit of research (that dirty word) reveals.... >>> >>> When we said that running in permissive mode has the system run as if SELinux was not >>> enabled, we weren't really lying... well, perhaps a bit. >>> >>> There is the matter of SELinux-aware applications. These are applications that know about >>> SELinux on a system, and behave differently when SELinux is enabled or not. Most of these >>> applications however do not change their behavior based on the permissive or enforcing >>> mode - only if SELinux is truly disabled. But that does mean that running your system in >>> permissive might still have applications behave as if SELinux was in enforcing mode, or at >>> least behave differently than when SELinux is disabled. >> >> Thanks for finding that, Ed. So it may be strongswan or stroke at fault >> and not SELinux. But the point is, "permissive" != "enforcing without >> blocking". > > Rick is totally right: With Selinux disabled, the L2TP connection is > successfully established! Woo HOO! Yeah! Go Team! :-) > I have meanwhile filed a bug at Bugzilla against selinux-policy. > > Thanks for the great help you offered me! Well, we figured how to get around an issue, although not the ideal way (it's not good to run with SELinux disabled). At least we isolated where the problem lies. Glad to help. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - After a shooting spree, they always want to take the guns away - - from the people who didn't do it. - - -- William S.Burroughs - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
