[Swan-dev] FIPS Behavior Question
Andrew Cagney
andrew.cagney at gmail.com
Sat May 1 17:41:18 UTC 2021
BTW, testing is still detecting unexpected audit records vis:
https://testing.libreswan.org/v4.4-70-g291edd8b58-main/ikev2-labeled-ipsec-03-multi-acquires-enforced/OUTPUT/east.console.diff
any ideas?
On Fri, 30 Apr 2021 at 22:05, Kavinda Wewegama <
kavinda.wewegama at forcepoint.com> wrote:
>
> On 4/27/2021 8:08 PM, Paul Wouters wrote:
> > On Tue, 27 Apr 2021, Wewegama, Kavinda wrote:
> >
> >> When FIPS is enabled, how does it affect Libreswan behavior besides
> >> enforcing certain cryptographic properties/restrictions?
> >
> > That should be the only difference. If something is rejected because of
> > FIPS, there will be a clear log message about it.
> >
> >> The reason I ask is because I am noticing child/IPsec SAs getting
> >> unsynchronized between tunnel endpoints if FIPS is enabled and SELinux
> >> Enforcing is turned on. In the past, I didn’t have issues with either
> >> FIPS by itself or with SELinux Enforcing by itself, but the
> >> combination isn’t working well.
> >
> > That does not sound like a FIPS related problem with libreswan if you
> > don't see clearly logged reasons of issues? Is there perhaps other FIPS
> > restrictions that might be affecting the system from other components?
>
> The issue wasn't FIPS related per se but tended to manifest more easily
> with FIPS enabled: https://github.com/libreswan/libreswan/issues/441
>
> My hypothesis for why I observed this behavior with FIPS enabled is
> because enabling it triggers more chrony traffic which was not
> permitted, i.e. pluto's SELinux domain did not have `setcontext`
> permission against `chronyc_t`. But I don't have a way to confirm this.
>
> -Kavinda
>
> >
> > Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210501/f17f2746/attachment.html>
More information about the Swan-dev
mailing list