On 10/15/2009 09:27 AM, Xavier Toth wrote:
On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys
<joshua.roys@xxxxxxxxxxxxxxx> wrote:
On 10/14/2009 03:42 PM, Daniel J Walsh wrote:
On 10/14/2009 01:30 PM, Joshua Roys wrote:
avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500
netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
Looking at policy/mls, I see this:
# the peer/packet recv op
mlsconstrain { peer packet } { recv }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsnetreadtoclr appears to only be granted via:
policy/modules/kernel/mls.if: mls_socket_read_to_clearance
which is not granted to racoon_t
Hello,
We have ipsec working again, using something like:
($local_t and $remote_t being the local and remote types)
mls_socket_read_to_clearance(racoon_t)
allow $local_t $remote_t:association polmatch;
allow $remote_t $local_t:association polmatch;
allow $local_t $remote_t:peer recv;
Thanks for the tips,
Joshua Roys
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
