-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 27 Jun 2006 14:46:29 +0100 Stuart James <stuart@xxxxxxxxxx> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Hi, > > > > > > We are using Openswan to connect two of our sites together via an > > > IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend > > > firewalls, including the version of openswan , selinux policy, > > > kernel ,ect. We used to run in enforcing mode without any > > > difficulties, it now seems that with Enforcing mode on Openswan > > > does not seem to be able to add the route. > > > > > > Using setenforce 0 , the tunnel becomes active. As far as i can > > > tell Openswan has difficulty adding the route to the Right/Left > > > nexthop, although the status of the tunnel appears to be up, the > > > routing does not appear to take place. > > > > > > #audit2allow -a -t /var/log/audit/audit.log > > > allow ifconfig_t self:netlink_xfrm_socket create; > > > allow ifconfig_t initrc_t:unix_stream_socket { read write }; > > > > I've followed this up in more detail, adding to > > /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te > > > > # IPsec > > allow ifconfig_t self:netlink_xfrm_socket create; > > allow ifconfig_t initrc_t:unix_stream_socket { read write }; > > allow ifconfig_t self:netlink_xfrm_socket setopt; > > allow ifconfig_t initrc_t:udp_socket { read write }; > > allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; > > allow ifconfig_t self:netlink_xfrm_socket bind; > > allow ifconfig_t self:netlink_xfrm_socket read; > > allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; > > allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; > > allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read > > write }; > > > > These rules seem to work now. > > # IPSEC (openswan-2.4.x) allow traceroute_t initrc_t:rawip_socket { read write }; allow traceroute_t initrc_t:udp_socket { read write }; allow traceroute_t user_home_dir_t:dir search; allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom; Regards, - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEs8Znr8LwOCpshrYRAsy/AKC777P7eAugVKSer5Qlh6WFgsyDdQCeNyyp 6xAQw09KvJ92wtidicpJqhg= =+sXV -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list