[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Fri Feb 3 23:56:08 UTC 2017
On 02/03/2017 09:31 AM, Paul Wouters wrote:
> On Thu, 2 Feb 2017, Jeff Becker wrote:
>
>> Hi. Using libreswan, I was able to set up an unlabeled ipsec tunnel
>> between two CentOS 7.3 hosts.
>
>> However, if I add the following to my ipsec.conf...
>>
>> labeled-ipsec=yes
>> policy-label=unconfined.user:msg_filter.role:msg_filter.ext_gateway.process:s0
>>
>> restart ipsec on both sides, add the new tunnel and try to bring it
>> up, I get:
>
>> 117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
>> 003 "dtsd-tunnel" #2: ERROR: netlink XFRM_MSG_UPDPOLICY response for
>> flow tun.10000 at 198.9.7.199 included errno 22: Invalid argument
>> 002 "dtsd-tunnel" #2: raw_eroute() in setup_half_ipsec_sa() failed to
>> add inbound
>>
>> I chose the policy-label from the example in the latest SELinux
>> notebook (https://selinuxproject.org/page/Category:Notebook). Not
>> sure if
>> that's the issue, or if it's something else. Please advise. Thanks.
>
> Our test configuration uses:
>
> policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
I got the above (actually policy-label=system_u:object_r:ipsec_spd_t:s0)
to work by fixing an AVC denial. Now when I bring up the tunnel I see:
# ipsec auto --up dtsd-tunnel
002 "dtsd-tunnel" #1: initiating Main Mode
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method RFC
3947 (NAT-Traversal)
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '198.9.7.198'
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG
cipher=aes_256 integ=sha group=MODP2048}
002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:3849768f proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
002 "dtsd-tunnel" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xc01ab79f <0x4f6e6b26 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=passive}
I don't see anything above that indicates that labeled ipsec is being
used, but maybe that's OK. Anyhow, after setting this up, I can't seem
to ping the other side of the tunnel (I was able to ping in the case
without labeled ipsec). Any suggestions are appreciated. Thanks.
-jeff
>
> I think we also needed to put the system in MLS mode for this to
> properly work?
>
> I'll ask some of the selinux people inside Red Hat if they know more.
>
> Paul
More information about the Swan
mailing list