-
-
Save rafaeltuelho/899dcf1359cf4d1fbd8a839ea753e535 to your computer and use it in GitHub Desktop.
First you have to ensure the Java JRE is installed on your system. | |
Remember the java plugin will only work on Firefox. If you prefer to install from fedora/rhel repos: | |
sudo dnf (yum) install java-1.8.0-openjdk icedtea-web | |
download the snx script installer from the Checkpoint VPN page: | |
https://<your company vpn ip addr>/sslvpn/SNX/INSTALL/snx_install.sh | |
run int as root to install | |
sudo /usr/bin/snx --help | |
/usr/bin/snx: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory | |
sudo ldconfig -p | grep libpam | |
libpamc.so.0 (libc6,x86-64) => /lib64/libpamc.so.0 | |
libpamc.so (libc6,x86-64) => /lib64/libpamc.so | |
libpam_misc.so.0 (libc6,x86-64) => /lib64/libpam_misc.so.0 | |
libpam_misc.so (libc6,x86-64) => /lib64/libpam_misc.so | |
libpam.so.0 (libc6,x86-64) => /lib64/libpam.so.0 | |
libpam.so (libc6,x86-64) => /lib64/libpam.so | |
sudo ldd /usr/bin/snx 1 ↵ | |
linux-gate.so.1 (0xf7762000) | |
libX11.so.6 => /lib/libX11.so.6 (0xf75f6000) | |
libpthread.so.0 => /lib/libpthread.so.0 (0xf75d9000) | |
libresolv.so.2 => /lib/libresolv.so.2 (0xf75bd000) | |
libdl.so.2 => /lib/libdl.so.2 (0xf75b8000) | |
libpam.so.0 => not found | |
libnsl.so.1 => /lib/libnsl.so.1 (0xf759b000) | |
libstdc++.so.5 => not found | |
libc.so.6 => /lib/libc.so.6 (0xf73c0000) | |
libxcb.so.1 => /lib/libxcb.so.1 (0xf7394000) | |
/lib/ld-linux.so.2 (0x565a4000) | |
libXau.so.6 => /lib/libXau.so.6 (0xf7390000) | |
sudo dnf (or yum) install pam.i686 libstdc++.i686 compat-libstdc++-33.i686 libX11.i686 | |
Try to access the vpn again. Now You should be blocked by SELinux policies. | |
[root@rsoares ~]# tail -F /var/log/audit/audit.log /var/log/messages | grep snx | |
type=AVC msg=audit(1484699727.108:1452): avc: denied { execute } for pid=23922 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0 | |
type=AVC msg=audit(1484699727.112:1453): avc: denied { write } for pid=23922 comm="snx" name="CKP_mutex::__CkpReg_Mutex_" dev="dm-2" ino=34793342 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 | |
type=AVC msg=audit(1484699727.115:1454): avc: denied { name_bind } for pid=23922 comm="snx" src=7776 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 | |
type=AVC msg=audit(1484699727.116:1455): avc: denied { write } for pid=23924 comm="snx" name="/" dev="tmpfs" ino=10109 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 | |
type=AVC msg=audit(1484699728.181:1456): avc: denied { execute } for pid=23935 comm="snx" path="/etc/ld.so.cache" dev="dm-2" ino=2843957 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0 | |
sudo setsebool -P unconfined_mozilla_plugin_transition 0 | |
sudo ausearch -c 'snx' --raw | audit2allow -M my-snx | |
sudo semodule -X 300 -i my-snx.pp | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.3991] manager: (tunsnx): new Tun device (/org/freedesktop/NetworkManager/Devices/24) | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4142] device (tunsnx): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4186] keyfile: add connection in-memory (e0a49278-34ab-4d66-8526-4fd6b475ff0a,"tunsnx") | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4291] device (tunsnx): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4334] device (tunsnx): Activation: starting connection 'tunsnx' (e0a49278-34ab-4d66-8526-4fd6b475ff0a) | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4528] device (tunsnx): state change: disconnected -> prepare (reason 'none') [30 40 0] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4733] device (tunsnx): state change: prepare -> config (reason 'none') [40 50 0] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4859] device (tunsnx): state change: config -> ip-config (reason 'none') [50 70 0] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.4882] device (tunsnx): state change: ip-config -> ip-check (reason 'none') [70 80 0] | |
Jan 17 21:38:21 rsoares nm-dispatcher: req:1 'pre-up' [tunsnx]: new request (1 scripts) | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5408] device (tunsnx): state change: ip-check -> secondaries (reason 'none') [80 90 0] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5427] device (tunsnx): state change: secondaries -> activated (reason 'none') [90 100 0] | |
Jan 17 21:38:21 rsoares NetworkManager[1169]: <info> [1484699901.5497] device (tunsnx): Activation: successful, device activated. | |
Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: new request (5 scripts) | |
Jan 17 21:38:21 rsoares nm-dispatcher: req:2 'up' [tunsnx]: start running ordered scripts... |
Thanks for this list, it helped a lot!
But for me it did not work completely using Fedora 28, I got libnsl.so.1 => not found.
So additionally I executed sudo dnf install libnsl.so.1 and everything worked fine.
Thanks for this list, it helped a lot!
But for me it did not work completely using Fedora 28, I got libnsl.so.1 => not found.
So additionally I executed sudo dnf install libnsl.so.1 and everything worked fine.
It's because of F28 moving to glibc 2.27. Linking the new version to where snx expects libsnl to be, works.
ln -s /usr/lib64/libnsl.so.2.0.0 /usr/lib64/libnsl.so.1
ln -s /usr/lib/libnsl.so.2.0.0 /usr/lib/libnsl.so.1
Thanks for writing up this guide! ❤️
I'm on Fedora 31 and could not find the compat-libstdc++-33.i686
package. I finally solved it by running:
sudo dnf install compat-libstdc++-33.i686 --releasever 30
Thanks for writing up this guide! heart
I'm on Fedora 31 and could not find the
compat-libstdc++-33.i686
package. I finally solved it by running:sudo dnf install compat-libstdc++-33.i686 --releasever 30
Worked nice for me under Fedora 38. Thanks!!!
credits to: