[Swan-dev] FIPS Behavior Question
andrew.cagney at gmail.com
Sat May 1 17:41:18 UTC 2021
BTW, testing is still detecting unexpected audit records vis:
On Fri, 30 Apr 2021 at 22:05, Kavinda Wewegama <
kavinda.wewegama at forcepoint.com> wrote:
> On 4/27/2021 8:08 PM, Paul Wouters wrote:
> > On Tue, 27 Apr 2021, Wewegama, Kavinda wrote:
> >> When FIPS is enabled, how does it affect Libreswan behavior besides
> >> enforcing certain cryptographic properties/restrictions?
> > That should be the only difference. If something is rejected because of
> > FIPS, there will be a clear log message about it.
> >> The reason I ask is because I am noticing child/IPsec SAs getting
> >> unsynchronized between tunnel endpoints if FIPS is enabled and SELinux
> >> Enforcing is turned on. In the past, I didn’t have issues with either
> >> FIPS by itself or with SELinux Enforcing by itself, but the
> >> combination isn’t working well.
> > That does not sound like a FIPS related problem with libreswan if you
> > don't see clearly logged reasons of issues? Is there perhaps other FIPS
> > restrictions that might be affecting the system from other components?
> The issue wasn't FIPS related per se but tended to manifest more easily
> with FIPS enabled: https://github.com/libreswan/libreswan/issues/441
> My hypothesis for why I observed this behavior with FIPS enabled is
> because enabling it triggers more chrony traffic which was not
> permitted, i.e. pluto's SELinux domain did not have `setcontext`
> permission against `chronyc_t`. But I don't have a way to confirm this.
> > Paul
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev