it took me about 10-15 minutes to turn my eyes towards SELinux, after some initial debugging.

i turned off selinux temporarily and activated the connection successfully, and determined that it was indeed SELinux that was preventing NetworkManager from doing its job.

then i re-enabled SELinux went to look at /var/log/audit/audit.log to see what it had to complain about and indeed some files created by NetworkManager in /root/.cert had bad contexts.

I set the proper contexts (semanage fcontext -a -t <context> <pathregex>), applied them (restorecon -Rv /root) and all was well.

SELinux was initially scary but:

- The "SELinux for mere mortals" talks are very informative introductory video (https://www.youtube.com/watch?v=_WOKRaM-HI4)

- The SELinux User's and Administrator's Guide from Red Hat was a deeper explaination (https://access.redhat.com/documentation/en-us/red_hat_enterp... -- linking to rhel 7 because that's what i read at the time)

I had to study this stuff in order to get Red Hat certified (RHCSA, passed with 300/300).

Getting certified is absolutely worth it. Getting certified is the difference between "10-15 minutes to get a diagnosis" and "I gave up on SELinux about 20 years ago".

You can have SELinux in a learning mode where it gives you a notification when it blocks something, and a command you can run to make it not block that action any more.

selinux is at the heart just about labels. If something tries to do something but doesn't have the right label, selinux will block it.

I agree working with selinux is a bit of a PITA but if you learn sealert, ausearch, and/or audit2allow it can severely reduce the pain and allow you to keep selinux enabled. I really like this page personally: https://wiki.centos.org/HowTos/SELinux