[Swan] SELinux labeled ipsec

Jeff Becker jeffrey.c.becker at nasa.gov
Sat Feb 4 23:40:37 UTC 2017


On 02/04/2017 02:34 PM, Jeff Becker wrote:
> On 02/03/2017 04:57 PM, Paul Wouters wrote:
>> My guess would be that your ping is either not covered by the tunnel, or
>> you are using ICMP packets with the wrong label?
>
> I fixed another AVC denial disallowing polmatch for scontext 
> unlabeled_t, and tcontext ipsec_spd_t, I tried the ping again, and it 
> still didn't work. Then I tried running tracepath, which did work. 
> After that, the ping started working. Thanks.

Spoke too soon. I reverted to the unlabeled tunnel to test something, 
then restarted the labeled tunnel (successfully) . Once again I couldn't 
ping, but now tracepath didn't work either. When I run ipsec status, the 
tail of it shows:

000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink

Can this be fixed so I get my route back? Thanks.

-jeff
>
> -jeff
>>
>> Paul
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan




More information about the Swan mailing list