Re: Openswan on FC4/5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 27 Jun 2006 14:46:29 +0100
Stuart James <stuart@xxxxxxxxxx> wrote:


> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > Hi,
> > > 
> > > We are using Openswan to connect two of our sites together via an
> > > IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend
> > > firewalls, including the version of openswan , selinux policy,
> > > kernel ,ect. We used to run in enforcing mode without any
> > > difficulties, it now seems that with Enforcing mode on Openswan
> > > does not seem to be able to add the route.
> > > 
> > > Using setenforce 0 , the tunnel becomes active. As far as i can
> > > tell Openswan has difficulty adding the route to the Right/Left
> > > nexthop, although the status of the tunnel appears to be up, the
> > > routing does not appear to take place.
> > > 
> > > #audit2allow -a -t /var/log/audit/audit.log
> > > allow ifconfig_t self:netlink_xfrm_socket create;
> > > allow ifconfig_t initrc_t:unix_stream_socket { read write };
> > 
> > I've followed this up in more detail, adding to
> > /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
> > 
> > # IPsec
> > allow ifconfig_t self:netlink_xfrm_socket create;
> > allow ifconfig_t initrc_t:unix_stream_socket { read write };
> > allow ifconfig_t self:netlink_xfrm_socket setopt;
> > allow ifconfig_t initrc_t:udp_socket { read write };
> > allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
> > allow ifconfig_t self:netlink_xfrm_socket bind;
> > allow ifconfig_t self:netlink_xfrm_socket read;
> > allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
> > allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
> > allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
> > write };
> > 
> 
> These rules seem to work now.
> 
> 
# IPSEC (openswan-2.4.x)


allow traceroute_t initrc_t:rawip_socket { read write };
allow traceroute_t initrc_t:udp_socket { read write };
allow traceroute_t user_home_dir_t:dir search;

allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket setopt;
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
allow ifconfig_t self:netlink_xfrm_socket bind;
allow ifconfig_t self:netlink_xfrm_socket read;
allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
write }; 
allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; 
allow ifconfig_t unconfined_t:udp_socket { read write };
allow unlabeled_t self:association sendto;
allow unlabeled_t self:association recvfrom;



Regards,

- -- 
Stuart James
System Administrator
DDI - (44) 0 1765 643354

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEs8Znr8LwOCpshrYRAsy/AKC777P7eAugVKSer5Qlh6WFgsyDdQCeNyyp
6xAQw09KvJ92wtidicpJqhg=
=+sXV
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux