[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Sat Feb 4 22:34:02 UTC 2017
On 02/03/2017 04:57 PM, Paul Wouters wrote:
> On Fri, 3 Feb 2017, Jeff Becker wrote:
>
>>> Our test configuration uses:
>>>
>>> policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>>
>> I got the above (actually
>> policy-label=system_u:object_r:ipsec_spd_t:s0) to work by fixing an
>> AVC denial. Now when I bring up the tunnel I see:
>
>> 004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
>> tunnel mode {ESP=>0xc01ab79f <0x4f6e6b26 xfrm=AES_128-HMAC_SHA1
>> NATOA=none NATD=none DPD=passive}
>>
>> I don't see anything above that indicates that labeled ipsec is being
>> used,
>
> Yeah, we don't display every single property but I'll look at adding a
> "labeled" prefix, so it says "IPsec SA established labeled tunnel mode"
>
> You should see the label in "ip xfrm pol".
>
>> but maybe that's OK. Anyhow, after setting this up, I can't seem to
>> ping the other side of the tunnel (I was able to ping in the case
>> without labeled ipsec). Any suggestions are appreciated. Thanks.
>
> My guess would be that your ping is either not covered by the tunnel, or
> you are using ICMP packets with the wrong label?
I fixed another AVC denial disallowing polmatch for scontext
unlabeled_t, and tcontext ipsec_spd_t, I tried the ping again, and it
still didn't work. Then I tried running tracepath, which did work. After
that, the ping started working. Thanks.
-jeff
>
> Paul
More information about the Swan
mailing list