[Swan] SELinux labeled ipsec
Paul Wouters
paul at nohats.ca
Sat Feb 4 00:57:17 UTC 2017
On Fri, 3 Feb 2017, Jeff Becker wrote:
>> Our test configuration uses:
>>
>> policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>
> I got the above (actually policy-label=system_u:object_r:ipsec_spd_t:s0) to
> work by fixing an AVC denial. Now when I bring up the tunnel I see:
> 004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0xc01ab79f <0x4f6e6b26 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
> DPD=passive}
>
> I don't see anything above that indicates that labeled ipsec is being used,
Yeah, we don't display every single property but I'll look at adding a
"labeled" prefix, so it says "IPsec SA established labeled tunnel mode"
You should see the label in "ip xfrm pol".
> but maybe that's OK. Anyhow, after setting this up, I can't seem to ping the
> other side of the tunnel (I was able to ping in the case without labeled
> ipsec). Any suggestions are appreciated. Thanks.
My guess would be that your ping is either not covered by the tunnel, or
you are using ICMP packets with the wrong label?
Paul
More information about the Swan
mailing list