Short tip: NetworkManager, 802.1x and SELinux
IEEE 802.1X is a standard for authentication and authorisation of devices in networks. Thus, physical LAN ports, VLANs or WLANs can only connect to the network after successful authentication, for example via RADIUS. Communication can be encrypted via TLS or PPP-EAP-TLS, for example.
If this network configuration is to be used in connection with NetworkManager and SELinux, the storage location of the required user certificate and key is essential. Ideally, these should be located in the folder ~/.cert - even if this is not mentioned in the documentation:
1$ ls -laZ ~/.cert/work/
2total 8
3drwxr-xr-x. 1 christian christian unconfined_u:object_r:home_cert_t:s0 56 4. Oct 13:00 .
4drwxr-xr-x. 1 christian christian unconfined_u:object_r:home_cert_t:s0 6 4. Oct 12:59 ..
5-rw-------. 1 christian christian unconfined_u:object_r:home_cert_t:s0 2932 4. Oct 13:02 mymachine.cer
6-rw-------. 1 christian christian unconfined_u:object_r:home_cert_t:s0 3434 4. Oct 13:01 mymachine.key
The SELinux type home_cert_t is essential - if this does not match, restorecon -Rv ~/.cert should set it accordingly.
According to Red Hat documentation, the files can also be located below the /etc/pki folder - but this does not work for me under Fedora 38.
If the SELinux context is incorrect, network access simply does not work. When establishing connections, dialogues for entering the user key are displayed - but a connection is not established. Unfortunately, no rule violations are logged or relevant error messages are output:
1# ausearch -i -m avc -ts today
2<no matches>
3
4# audit2why -i /var/log/audit/audit.log
5Nothing to do
6
7# journalctl -u NetworkManager.service
8...
9Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8238] device (enp5s0f4u1u1): Activation: starting connection 'Kabelgebundene Verbindung 1'
10Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8239] device (enp5s0f4u1u1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
11Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8239] manager: NetworkManager state is now CONNECTING
12Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8240] device (enp5s0f4u1u1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
13Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8343] device (enp5s0f4u1u1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
14Okt 04 10:38:08 mamachine NetworkManager[17034]: <info> [1696408688.8350] dhcp4 (enp5s0f4u1u1): activation: beginning transaction (timeout in 45 seconds)
15Okt 04 10:38:53 mamachine NetworkManager[17034]: <info> [1696408733.8020] device (enp5s0f4u1u1): state change: ip-config -> failed (reason 'ip-config-unavailable', sys-iface-state: 'managed')
16Okt 04 10:38:53 mamachine NetworkManager[17034]: <info> [1696408733.8027] manager: NetworkManager state is now CONNECTED_LOCAL
17Okt 04 10:38:53 mamachine NetworkManager[17034]: <warn> [1696408733.8031] device (enp5s0f4u1u1): Activation: failed for connection 'Kabelgebundene Verbindung 1'