[Swan] SELinux labeled ipsec

Jeff Becker jeffrey.c.becker at nasa.gov
Fri Feb 3 23:56:08 UTC 2017


On 02/03/2017 09:31 AM, Paul Wouters wrote:
> On Thu, 2 Feb 2017, Jeff Becker wrote:
>
>> Hi. Using libreswan, I was able to set up an unlabeled ipsec tunnel 
>> between two CentOS 7.3 hosts.
>
>> However, if I add the following to my ipsec.conf...
>>
>>         labeled-ipsec=yes
>> policy-label=unconfined.user:msg_filter.role:msg_filter.ext_gateway.process:s0
>>
>> restart ipsec on both sides, add the new tunnel and try to bring it 
>> up, I get:
>
>> 117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
>> 003 "dtsd-tunnel" #2: ERROR: netlink XFRM_MSG_UPDPOLICY response for 
>> flow tun.10000 at 198.9.7.199 included errno 22: Invalid argument
>> 002 "dtsd-tunnel" #2: raw_eroute() in setup_half_ipsec_sa() failed to 
>> add inbound
>>
>> I chose the policy-label from the example in the latest SELinux 
>> notebook (https://selinuxproject.org/page/Category:Notebook). Not 
>> sure if
>> that's the issue, or if it's something else. Please advise. Thanks.
>
> Our test configuration uses:
>
>     policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023

I got the above (actually policy-label=system_u:object_r:ipsec_spd_t:s0) 
to work by fixing an AVC denial. Now when I bring up the tunnel I see:

# ipsec auto --up dtsd-tunnel
002 "dtsd-tunnel" #1: initiating Main Mode
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method RFC 
3947 (NAT-Traversal)
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947 
(NAT-Traversal) sender port 500: no NAT detected
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '198.9.7.198'
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG 
cipher=aes_256 integ=sha group=MODP2048}
002 "dtsd-tunnel" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
{using isakmp#1 msgid:3849768f proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
002 "dtsd-tunnel" #2: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
tunnel mode {ESP=>0xc01ab79f <0x4f6e6b26 xfrm=AES_128-HMAC_SHA1 
NATOA=none NATD=none DPD=passive}

I don't see anything above that indicates that labeled ipsec is being 
used, but maybe that's OK. Anyhow, after setting this up, I can't seem 
to ping the other side of the tunnel (I was able to ping in the case 
without labeled ipsec). Any suggestions are appreciated. Thanks.

-jeff

>
> I think we also needed to put the system in MLS mode for this to 
> properly work?
>
> I'll ask some of the selinux people inside Red Hat if they know more.
>
> Paul




More information about the Swan mailing list