On Tue, 2017-04-04 at 17:09 +0000, Grzegorz Kuczyński wrote: > [root@CnetOS7 ~]# ip xfrm state > src 10.5.5.18 dst 10.5.5.10 > proto esp spi 0xedbce21c reqid 16389 mode tunnel > replay-window 32 flag af-unspec > auth-trunc hmac(sha1) > 0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96 > enc cbc(aes) 0x442da48e8178c4971275b9d889747536 > src 10.5.5.10 dst 10.5.5.18 > proto esp spi 0x921bce56 reqid 16389 mode tunnel > replay-window 32 flag af-unspec > auth-trunc hmac(sha1) > 0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96 > enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69 > src 10.5.5.10 dst 10.5.5.18 > proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel > replay-window 32 flag af-unspec > auth-trunc hmac(sha1) > 0x3aef0708d244ede7793e328b1937d0b70d425fb7 96 > enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276 > src 10.5.5.18 dst 10.5.5.10 > proto esp spi 0x5acea75b reqid 16389 mode tunnel > replay-window 32 flag af-unspec > auth-trunc hmac(sha1) > 0x731268575b53cfbd9cac20e988cfc5557d381036 96 > enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918 Hmm...no security contexts? That would explain why you are getting unlabeled_t. But I guess the question is why is pluto creating SAs without any security contexts. Seems like a bug there, but I am not sure. > This unlabeled flow is can be initiated from my own domain for simple > server TCP and client communicate via this tunnel? > What You means writing about "sample configuration" in Second > paragraph? git clone https://github.com/SELinuxProject/selinux-testsuite cd selinux-testsuite cat selinux-testsuite/inet_socket/ipsec-load That however is a manual configuration; doesn't use libreswan. Might be interesting though to confirm that the test works for you. You'll notice that if you run the ipsec-load script by hand and then run ip xfrm state, you'll see security contexts configured there. Another reference is the SELinux Notebook, http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html There is both the book itself and a source tarball with sample configurations. tar xzf notebook-source-4.0.tar.gz cd notebook-source cat basic-selinux-policy/CIL/message-filter/ipsec.conf _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
