[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Sat Feb 4 23:51:27 UTC 2017
On 02/04/2017 03:40 PM, Jeff Becker wrote:
> On 02/04/2017 02:34 PM, Jeff Becker wrote:
>> On 02/03/2017 04:57 PM, Paul Wouters wrote:
>>> My guess would be that your ping is either not covered by the
>>> tunnel, or
>>> you are using ICMP packets with the wrong label?
>>
>> I fixed another AVC denial disallowing polmatch for scontext
>> unlabeled_t, and tcontext ipsec_spd_t, I tried the ping again, and it
>> still didn't work. Then I tried running tracepath, which did work.
>> After that, the ping started working. Thanks.
>
> Spoke too soon. I reverted to the unlabeled tunnel to test something,
> then restarted the labeled tunnel (successfully) . Once again I
> couldn't ping, but now tracepath didn't work either. When I run ipsec
> status, the tail of it shows:
>
> 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
> 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
>
> Can this be fixed so I get my route back? Thanks.
>
> -jeff
For some reason, the connection comes up after waiting a while. I guess
that's the time to acquire netlink? Thanks.
-jeff
>>
>> -jeff
>>>
>>> Paul
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list