Ted Toth txtoth at gmail.com
Tue Jan 27 19:54:11 EET 2015

The problem turned out to be that the connection selinux type was not
defined in the policy on the client so that the avc_has_perm failed.
I'd have expected to see the "within_range: Unable to retrieve sid for
sl context ..." message instead of the "within_range: The sl (<selinux
context>) is not within range of (<selinux context>)"  message. Maybe
I'm not looking at the right source (security_selinux.c). I installed
a policy module which defined the  type and the errors stopped.

On Mon, Jan 26, 2015 at 5:52 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 26 Jan 2015, Ted Toth wrote:
>> As I've mentioned before we're using label ipsec with SELinux MLS
>> policy. On the clients I'm seeing:
>> within_range: The sl (<selinux context>) is not within range of
>> (<selinux context>)
>> security context verification failed (perhaps policy_label is not
>> configured for this connection)
>> which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the
>> source rpm for the openswan version we're using and started looking
>> for the code that generates these messages but I haven't found it yet
>> do you know where the within_range check occurs? The level is within
>> the range but the user/role/type are different.
> That's very possible. All the BAD_PROPOSAL_SYNTAX returns stem from
> ikev1_spdb_struct.c (formerly spdb_v1_struct.c) problems. One of
> those is reading the oakley trans attributes which I believe is
> where the policy label is transfered.
> Paul

More information about the Swan mailing list