On 04/02/2017 11:57 AM, Grzegorz Kuczyński wrote:
Hello
I configured Labeled IPSec on CentOS 7 using Libreswan and I found such
denied:
type=AVC msg=audit(1491053758.389:1366): avc: denied { polmatch } for
pid=0 comm="swapper/0" scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:ipsec_spd_t:s0 tclass=association
My config file on both hosts is:
# cat /etc/ipsec.conf
version 2
config setup
protostack=netkey
conn ipsec_selinux_tunnel
...
labeled_ipsec=yes
policy_label=system_u:object_r:ipsec_spd_t:s0
It's looks like process swapper is missing labeled?
Yes, It looks like your system is mislabeled. Did you boot with SELinux
disabled and then turned SELinux in enforcing/permissive again?
To fix labels please run:
# restorecon -Rv /
Then please restart services with "unlabeled_t" label.
I must add this rule to my own module:
allow unlabeled_t ipsec_spd_t:association { polmatch };
This local module can be removed after full system relabel mentioned above.
Lukas.
This is not a bug?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
