Re: ipsec module and Libreswan on CentOS 7 denied

Grzegorz Kuczyński <gk180984@xxxxxxxxx> · Wed, 05 Apr 2017 16:44:24 -0000

OK, I run ipsec-load by hand and I have:

x4:
RTNETLINK answers: Invalid argument

from this rule:
ip xfrm policy ... ctx "system_u:object_r:test_spd_t:s0" ...

ip xfrm state
show nothing...

log:
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409613.572:207): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffc059dea50 a2=0 a3=7ffc059de790 items=0 ppid=2966 pid=2967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

So I change test_spd_t to ipsec_spd_t and now ip cmd is ok:

ip xfrm policy ... ctx "system_u:object_r:ipsec_spd_t:s0" ...

but ...
ip xfrm state
show nothing...

log:
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.370:202): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffff54a6ad0 a2=0 a3=7ffff54a6810 items=0 ppid=2947 pid=2948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.377:203): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=SYSCALL msg=audit(1491409549.377:203): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffeca3ab0e0 a2=0 a3=7ffeca3aae20 items=0 ppid=2947 pid=2958 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.379:204): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=SYSCALL msg=audit(1491409549.379:204): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffca5a8e4e0 a2=0 a3=7ffca5a8e220 items=0 ppid=2947 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.383:205): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.383:205): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffdb6e72080 a2=0 a3=7ffdb6e71dc0 items=0 ppid=2947 pid=2962 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.385:206): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.385:206): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffc76f2f3f0 a2=0 a3=7ffc76f2f130 items=0 ppid=2947 pid=2963 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

So I understand Labeling IPSec work but not with libreswan?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx