[Swan-dev] FIPS Behavior Question
Kavinda Wewegama
kavinda.wewegama at forcepoint.com
Sat May 1 02:05:18 UTC 2021
On 4/27/2021 8:08 PM, Paul Wouters wrote:
> On Tue, 27 Apr 2021, Wewegama, Kavinda wrote:
>
>> When FIPS is enabled, how does it affect Libreswan behavior besides
>> enforcing certain cryptographic properties/restrictions?
>
> That should be the only difference. If something is rejected because of
> FIPS, there will be a clear log message about it.
>
>> The reason I ask is because I am noticing child/IPsec SAs getting
>> unsynchronized between tunnel endpoints if FIPS is enabled and SELinux
>> Enforcing is turned on. In the past, I didn’t have issues with either
>> FIPS by itself or with SELinux Enforcing by itself, but the
>> combination isn’t working well.
>
> That does not sound like a FIPS related problem with libreswan if you
> don't see clearly logged reasons of issues? Is there perhaps other FIPS
> restrictions that might be affecting the system from other components?
The issue wasn't FIPS related per se but tended to manifest more easily
with FIPS enabled: https://github.com/libreswan/libreswan/issues/441
My hypothesis for why I observed this behavior with FIPS enabled is
because enabling it triggers more chrony traffic which was not
permitted, i.e. pluto's SELinux domain did not have `setcontext`
permission against `chronyc_t`. But I don't have a way to confirm this.
-Kavinda
>
> Paul
More information about the Swan-dev
mailing list