Re: FC5 - problems setting context

Paul Howarth <paul@xxxxxxxxxxxx> · Mon, 12 Jun 2006 18:00:04 +0100

Sandra Julieta Rueda Rodriguez wrote:
Hello,

I am new with selinux and I have a problem:

My system: Fedora Core 5, FC5 - 2.6.16-1.2122 SMP
I am trying to set communication policies between two machines and I am
using the set of commands implemented by ipsec-tools.

I am running the command: setkey -v -f set.conf
Contents of the file set.conf (it had more things at the beginning but I
reduced it while looking for the cause of the error):
flush;
spdflush;
spdadd src dest any -ctx 1 1 "user_u:object_r:user_t" -P out ipsec
esp/transport//require ;

I always receive the same output at the end: "Invalid Argument".

sadb_msg{ version=2 type=9 errno=0 satype=0
  len=2 reserved=0 seq=0 pid=16090

sadb_msg{ version=2 type=9 errno=0 satype=0
  len=2 reserved=0 seq=0 pid=16090

sadb_msg{ version=2 type=19 errno=0 satype=0
  len=2 reserved=0 seq=0 pid=16090

sadb_msg{ version=2 type=19 errno=0 satype=0
  len=2 reserved=0 seq=0 pid=16090

sadb_msg{ version=2 type=14 errno=0 satype=0
  len=16 reserved=0 seq=0 pid=16090
sadb_ext{ len=4 type=18 }
sadb_x_policy{ type=2 dir=2 id=0 priority=2147483648 }
 { len=16 proto=50 mode=1 level=2 reqid=0
 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0
 82cb2034  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0
 82cb2035  }
sadb_ext{ len=4 type=24 }
sadb_x_sec_ctx{ doi=1 alg=1 length=23,
context:user_u:object_r:user_t}

sadb_msg{ version=2 type=14 errno=22 satype=0
  len=2 reserved=0 seq=0 pid=16090

The result of line 4: Invalid argument.

I followed the procedure and it looks like the problem is not related to
ipsec-tools but to something in the kernel, because it returns errno=22.
Running the same command without the ctx extension works fine.

Does anyone have any idea?

Perhaps this is another instance where contexts aren't being passed 
through libselinux for translation?

Try using this context instead:

user_u:object_r:user_t:s0

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list