rafaeltuelho/checkpoint-snx-vpn-client-fedora25.txt

## checkpoint-snx-vpn-client-fedora25.txt
 First you have to ensure the Java JRE is installed on your system.
 Remember the java plugin will only work on Firefox. If you prefer to install from fedora/rhel repos:

 sudo dnf (yum) install java-1.8.0-openjdk icedtea-web

 download the snx script installer from the Checkpoint VPN page:
    https://<your company vpn ip addr>/sslvpn/SNX/INSTALL/snx_install.sh

run int as root to install

 sudo /usr/bin/snx --help
/usr/bin/snx: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory

sudo ldconfig -p | grep libpam
	libpamc.so.0 (libc6,x86-64) => /lib64/libpamc.so.0
	libpamc.so (libc6,x86-64) => /lib64/libpamc.so
	libpam_misc.so.0 (libc6,x86-64) => /lib64/libpam_misc.so.0
	libpam_misc.so (libc6,x86-64) => /lib64/libpam_misc.so
	libpam.so.0 (libc6,x86-64) => /lib64/libpam.so.0
	libpam.so (libc6,x86-64) => /lib64/libpam.so


sudo ldd /usr/bin/snx                                                                                                                                                                                      1 ↵
	linux-gate.so.1 (0xf7762000)
	libX11.so.6 => /lib/libX11.so.6 (0xf75f6000)
	libpthread.so.0 => /lib/libpthread.so.0 (0xf75d9000)
	libresolv.so.2 => /lib/libresolv.so.2 (0xf75bd000)
	libdl.so.2 => /lib/libdl.so.2 (0xf75b8000)
	libpam.so.0 => not found
	libnsl.so.1 => /lib/libnsl.so.1 (0xf759b000)
	libstdc++.so.5 => not found
	libc.so.6 => /lib/libc.so.6 (0xf73c0000)
	libxcb.so.1 => /lib/libxcb.so.1 (0xf7394000)
	/lib/ld-linux.so.2 (0x565a4000)
	libXau.so.6 => /lib/libXau.so.6 (0xf7390000)


sudo dnf (or yum) install pam.i686 libstdc++.i686 compat-libstdc++-33.i686 libX11.i686

Try to access the vpn again. Now You should be blocked by SELinux policies.

[root@rsoares ~]# tail -F  /var/log/audit/audit.log /var/log/messages | grep snx
type=AVC msg=audit(1484699727.108:1452): avc:  denied  { execute } for  pid=23922 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1484699727.112:1453): avc:  denied  { write } for  pid=23922 comm="snx" name="CKP_mutex::__CkpReg_Mutex_" dev="dm-2" ino=34793342 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1484699727.115:1454): avc:  denied  { name_bind } for  pid=23922 comm="snx" src=7776 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1484699727.116:1455): avc:  denied  { write } for  pid=23924 comm="snx" name="/" dev="tmpfs" ino=10109 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1484699728.181:1456): avc:  denied  { execute } for  pid=23935 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


sudo setsebool -P unconfined_mozilla_plugin_transition 0
sudo ausearch -c 'snx' --raw | audit2allow -M my-snx
sudo semodule -X 300 -i my-snx.pp

Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.3991] manager: (tunsnx): new Tun device (/org/freedesktop/NetworkManager/Devices/24)
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4142] device (tunsnx): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4186] keyfile: add connection in-memory (e0a49278-34ab-4d66-8526-4fd6b475ff0a,"tunsnx")
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4291] device (tunsnx): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4334] device (tunsnx): Activation: starting connection 'tunsnx' (e0a49278-34ab-4d66-8526-4fd6b475ff0a)
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4528] device (tunsnx): state change: disconnected -> prepare (reason 'none') [30 40 0]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4733] device (tunsnx): state change: prepare -> config (reason 'none') [40 50 0]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4859] device (tunsnx): state change: config -> ip-config (reason 'none') [50 70 0]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.4882] device (tunsnx): state change: ip-config -> ip-check (reason 'none') [70 80 0]
Jan 17 21:38:21 rsoares nm-dispatcher: req:1 'pre-up' [tunsnx]: new request (1 scripts)
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.5408] device (tunsnx): state change: ip-check -> secondaries (reason 'none') [80 90 0]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.5427] device (tunsnx): state change: secondaries -> activated (reason 'none') [90 100 0]
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info>  [1484699901.5497] device (tunsnx): Activation: successful, device activated.
Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: new request (5 scripts)
Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: start running ordered scripts...
	First you have to ensure the Java JRE is installed on your system.
	Remember the java plugin will only work on Firefox. If you prefer to install from fedora/rhel repos:

	sudo dnf (yum) install java-1.8.0-openjdk icedtea-web

	download the snx script installer from the Checkpoint VPN page:
	https://<your company vpn ip addr>/sslvpn/SNX/INSTALL/snx_install.sh

	run int as root to install

	sudo /usr/bin/snx --help
	/usr/bin/snx: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory

	sudo ldconfig -p \| grep libpam
	libpamc.so.0 (libc6,x86-64) => /lib64/libpamc.so.0
	libpamc.so (libc6,x86-64) => /lib64/libpamc.so
	libpam_misc.so.0 (libc6,x86-64) => /lib64/libpam_misc.so.0
	libpam_misc.so (libc6,x86-64) => /lib64/libpam_misc.so
	libpam.so.0 (libc6,x86-64) => /lib64/libpam.so.0
	libpam.so (libc6,x86-64) => /lib64/libpam.so


	sudo ldd /usr/bin/snx 1 ↵
	linux-gate.so.1 (0xf7762000)
	libX11.so.6 => /lib/libX11.so.6 (0xf75f6000)
	libpthread.so.0 => /lib/libpthread.so.0 (0xf75d9000)
	libresolv.so.2 => /lib/libresolv.so.2 (0xf75bd000)
	libdl.so.2 => /lib/libdl.so.2 (0xf75b8000)
	libpam.so.0 => not found
	libnsl.so.1 => /lib/libnsl.so.1 (0xf759b000)
	libstdc++.so.5 => not found
	libc.so.6 => /lib/libc.so.6 (0xf73c0000)
	libxcb.so.1 => /lib/libxcb.so.1 (0xf7394000)
	/lib/ld-linux.so.2 (0x565a4000)
	libXau.so.6 => /lib/libXau.so.6 (0xf7390000)


	sudo dnf (or yum) install pam.i686 libstdc++.i686 compat-libstdc++-33.i686 libX11.i686

	Try to access the vpn again. Now You should be blocked by SELinux policies.

	[root@rsoares ~]# tail -F /var/log/audit/audit.log /var/log/messages \| grep snx
	type=AVC msg=audit(1484699727.108:1452): avc: denied { execute } for pid=23922 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0
	type=AVC msg=audit(1484699727.112:1453): avc: denied { write } for pid=23922 comm="snx" name="CKP_mutex::__CkpReg_Mutex_" dev="dm-2" ino=34793342 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
	type=AVC msg=audit(1484699727.115:1454): avc: denied { name_bind } for pid=23922 comm="snx" src=7776 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
	type=AVC msg=audit(1484699727.116:1455): avc: denied { write } for pid=23924 comm="snx" name="/" dev="tmpfs" ino=10109 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
	type=AVC msg=audit(1484699728.181:1456): avc: denied { execute } for pid=23935 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


	sudo setsebool -P unconfined_mozilla_plugin_transition 0
	sudo ausearch -c 'snx' --raw \| audit2allow -M my-snx
	sudo semodule -X 300 -i my-snx.pp

	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.3991] manager: (tunsnx): new Tun device (/org/freedesktop/NetworkManager/Devices/24)
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4142] device (tunsnx): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4186] keyfile: add connection in-memory (e0a49278-34ab-4d66-8526-4fd6b475ff0a,"tunsnx")
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4291] device (tunsnx): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4334] device (tunsnx): Activation: starting connection 'tunsnx' (e0a49278-34ab-4d66-8526-4fd6b475ff0a)
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4528] device (tunsnx): state change: disconnected -> prepare (reason 'none') [30 40 0]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4733] device (tunsnx): state change: prepare -> config (reason 'none') [40 50 0]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4859] device (tunsnx): state change: config -> ip-config (reason 'none') [50 70 0]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4882] device (tunsnx): state change: ip-config -> ip-check (reason 'none') [70 80 0]
	Jan 17 21:38:21 rsoares nm-dispatcher: req:1 'pre-up' [tunsnx]: new request (1 scripts)
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5408] device (tunsnx): state change: ip-check -> secondaries (reason 'none') [80 90 0]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5427] device (tunsnx): state change: secondaries -> activated (reason 'none') [90 100 0]
	Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5497] device (tunsnx): Activation: successful, device activated.
	Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: new request (5 scripts)
	Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: start running ordered scripts...