[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Sat Feb 4 23:40:37 UTC 2017
On 02/04/2017 02:34 PM, Jeff Becker wrote:
> On 02/03/2017 04:57 PM, Paul Wouters wrote:
>> My guess would be that your ping is either not covered by the tunnel, or
>> you are using ICMP packets with the wrong label?
>
> I fixed another AVC denial disallowing polmatch for scontext
> unlabeled_t, and tcontext ipsec_spd_t, I tried the ping again, and it
> still didn't work. Then I tried running tracepath, which did work.
> After that, the ping started working. Thanks.
Spoke too soon. I reverted to the unlabeled tunnel to test something,
then restarted the labeled tunnel (successfully) . Once again I couldn't
ping, but now tracepath didn't work either. When I run ipsec status, the
tail of it shows:
000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
Can this be fixed so I get my route back? Thanks.
-jeff
>
> -jeff
>>
>> Paul
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list