Using the F5 VPN Client Plugin in Fedora 22

So, I had been using the F5 Plugin with my Fedora 21 workstation and when I upgraded, I falsely assumed that I couldn’t get it to work because I was now using Fedora 22.  I didn’t recall that I had had similar troubles with Fedora 21 which I overcame, and it wasn’t until I fired up a Fedora 21 VM and noticed the same failure (you don’t want to know what my solution was going to be…it involved a Fedora 21 VM, IP forwarding and masquerading, manual routing table modifications for the Fedora 22 system..) that I rifled through my various notes and found a quick reference to a resolution for the problem which never made it to the blog (for shame!).

First off, I’d like to thank F5 for supporting Linux clients with their F5 “FirePass” plugin.  They don’t have to do that, I’m sure they don’t get a whole lot of market value out of it, but I am one happy customer because of it, and here I am thanking them for it.

And the process for installing and using the F5 plugin in a Linux/GNU environment (Fedora 22 for me, but this should work on any Linux-based system) should be incredibly simple.  As long as you have Firefox installed, you just navigate to the URL you use to reach your F5 connection and follow the prompts.  Firefox will automatically download the plugin and install it.  Theoretically, that’s the end.

Unfortunately, in Fedora 20/21/22, you’ll subsequently receive messages indicating that Firefox was unable to install the plugin, and you’ll receive a sketchy prompt for your root or sudo password from what should be the VPN window.

Anyone who is willing to put a root or sudo password in a browser window is a crazy person.  I did change my root password to something stupid (literally “stupid”) to test and see if that prompt would really work, but it immediately responds with a failure to install the plugin and a suggestion that I click a link for instructions regarding the manual acquisition and installation of the plugin.  Clicking that link brought me to what appears to be a long-forgotten, perhaps never-known “knowledge base” hosted by the F5 system.  It is empty and not helpful.

But moving on, a quick examination of the systemd journal shows:

pppd[3182]: Can't open options file /etc/ppp/options: Permission denied
audit[3182]:  avc:  denied  { read } for  pid=3182 comm="pppd" name="options" dev="dm-0" ino=67170671 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_
...

The F5 VPN plugin relies on the Point-to-Point-Protocol Daemon (pppd), and what we’re seeing here is an SELinux problem, as made clear by the very many preceding AVC denial messages in the journal (of which I have only displayed one).  The way to resolve this is to change an SELinux boolean:

sudo setsebool -P unconfined_mozilla_plugin_transition 0

And that’s all there is to it.  Now, you can connect!  I’m sure there’s a more elegant and specific way to accomplish this, but I have not invested the time to figure it out.  I know browser plugins are common attack vectors, but I’m a careful user of Firefox, so it doesn’t bother me too much to allow unconfined users to transition to the Mozilla plugin domain when running the xulrunner plugin-container.

This makes me very happy.  There’s something truly magnificent about working from home using free and open source software.  There’s a tangible purity about the tools and the platform with which I operate, and it is very satisfying in a deeply philosophical, dare I say spiritual, sense.  They are not designed by people attempting to extract a profit from me, but rather, they exist solely for their purpose as high quality software.  They are for people, by people.  Just looking at this beautiful KDE Plasma Desktop and contemplating its operation in conjunction with the myriad GNU userspace utilities and the Linux kernel, all beautiful products of a labor of love spanning decades of joint effort, gives incredible meaning to my work.  Being a part of the open source community, working to expand the reach of these immensely powerful, free utilities feels like a culmination of the end for which so many people working on UNIX in the 1970s and 1980s labored.

Thanks for starting something wonderful, all you who develop, produce, implement, and generally expand upon free and open source software.  Humans can do beautiful things despite our often more prominent flaws.

Advertisements
This entry was posted in Information Technology and tagged , , . Bookmark the permalink.

2 Responses to Using the F5 VPN Client Plugin in Fedora 22

  1. keeed says:

    wow! thanks a lot for this, mate!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s