Hello again :)
This time it work, and this is what I does:
Add to ipsec.conf this options:
secctx-attr-type=32001
This is my config:
[root@CnetOS7 netserver]# cat /etc/ipsec.conf
version 2
config setup
protostack=netkey
secctx-attr-type=32001
conn ipsec_selinux_tunnel
leftid=@west
left=10.5.5.18
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ==
rightid=@east
right=10.5.5.10
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
auto=start
labeled_ipsec=yes
policy_label=system_u:object_r:ipsec_spd_t:s0
In my own domain I coment unlabeled_t allow:
netserver.te:
...
allow netserver_t ipsec_t:association { polmatch };
allow ipsec_t netserver_t:association { setcontext };
allow ipsec_t ipsec_spd_t:association { setcontext };
#allow unlabeled_t ipsec_spd_t:association { polmatch };
I start my server and client and I have some denied, so I add to my server domain:
allow netserver_t netif_t:netif { ingress egress }
allow netserver_t node_t:node { sendto recvfrom }
and client domain:
allow netclient_t netif_t:netif { ingress egress }
allow netclient_t node_t:node { sendto recvfrom }
allow netclient_t netserver_t:peer { recv }
allow netserver_t netclient_t:peer { recv }
Now work properly:
[root@CnetOS7 netserver]# netserver -Z
Listening...
Connected with 10.5.5.10:44998
Client SELinux conntext: unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023
Retrive: quit
[root@CnetOS7 netserver]# ip xfrm state
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0x436be694 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x4c7d6ff6a191951fc69d9c3def070db3e0d59ae5 96
enc cbc(aes) 0x3c624b14b79e6f2dd632d26d36d90ff7
security context unconfined_u:unconfined_r:netserver_t:s0-s0:c0.c1023
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0x3ad8e7fa reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x91a06a54d2fd1899229129489bd1d766b8f00990 96
enc cbc(aes) 0x77a17777f44378970ffa25cdd2a8bd34
security context unconfined_u:unconfined_r:netserver_t:s0-s0:c0.c1023
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0x814b2bb1 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6b72091e994d5790690f8169889e2188b2cbc933 96
enc cbc(aes) 0x5e9d4f9128c995edbf7e46aca6f92950
security context unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0xfde27f2f reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xdfa421e570976742d24028a00f391857beac5683 96
enc cbc(aes) 0x9c72f2a72726154130f1c8922e0b173e
security context unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0x9b25639b reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6adc49b7978217d1a5656b3462f916ef051e43b6 96
enc cbc(aes) 0x4c248f4bc47199b3637b32226d9e7377
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0xc17086fa reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x726602fb3a003b0296bd3c59d0c0631ae8b69619 96
enc cbc(aes) 0x167ce87116d07c4d3436c1631fb6efa4
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0xc7ceed20 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x5debc146502f9d8322f79130a695a863a5191edd 96
enc cbc(aes) 0xc66cf0910346412f78aaab9770c98a7d
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0x6b36950c reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xe138e77d26e05ffdbfdad7241f505645917a8574 96
enc cbc(aes) 0x874ed487c96261c692672d48e02129f3
So the reason why this not work early is missing option in ipsec.conf?
Or it is still bug?
Thanks to help
2017-04-06 17:53 GMT+02:00 Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>:
Out of idle curiosity I thought I would test this.On Tue, 2017-04-04 at 18:43 -0400, Paul Wouters wrote:
> On 04/04/2017 05:14 PM, Paul Moore wrote:
> > On Tue, Apr 4, 2017 at 1:43 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> > wrote:
> > > On Tue, 2017-04-04 at 17:09 +0000, Grzegorz Kuczyński wrote:
> > > > [root@CnetOS7 ~]# ip xfrm state
> > > > src 10.5.5.18 dst 10.5.5.10
> > > > proto esp spi 0xedbce21c reqid 16389 mode tunnel
> > > > replay-window 32 flag af-unspec
> > > > auth-trunc hmac(sha1)
> > > > 0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96
> > > > enc cbc(aes) 0x442da48e8178c4971275b9d889747536
> > > > src 10.5.5.10 dst 10.5.5.18
> > > > proto esp spi 0x921bce56 reqid 16389 mode tunnel
> > > > replay-window 32 flag af-unspec
> > > > auth-trunc hmac(sha1)
> > > > 0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96
> > > > enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69
> > > > src 10.5.5.10 dst 10.5.5.18
> > > > proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel
> > > > replay-window 32 flag af-unspec
> > > > auth-trunc hmac(sha1)
> > > > 0x3aef0708d244ede7793e328b1937d0b70d425fb7 96
> > > > enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276
> > > > src 10.5.5.18 dst 10.5.5.10
> > > > proto esp spi 0x5acea75b reqid 16389 mode tunnel
> > > > replay-window 32 flag af-unspec
> > > > auth-trunc hmac(sha1)
> > > > 0x731268575b53cfbd9cac20e988cfc5557d381036 96
> > > > enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918
> > >
> > > Hmm...no security contexts? That would explain why you are
> > > getting
> > > unlabeled_t. But I guess the question is why is pluto creating
> > > SAs
> > > without any security contexts. Seems like a bug there, but I am
> > > not
> > > sure.
>
> What is the configuration? Was labeled-ipsec=yes and policy-label=
> set?
> If dealing with RHEL6 or older, it also needs to have secctx-attr-
> type=10
> If not, no security context is set.
>
> > https://lists.fedoraproject.org/archives/list/selinux@ lists.fedorap
> > roject.org/thread/AXJWXBVF4ZCSPKQ42MWX5LRTD5PGRS 7O
>
> Note the references in the documentation to loopback should be
> removed. It was broken
> and removed.
>
> Was IKEv1 used? IKEv2 does not support security labels so set
> ikev2=never
>
> Log files should indicate if any security label was negotiated.
>
> Is this system using MLS?
>
> Paul
I set up two machines and finally got this to work. I did have the same
problem as yourself:
allow unlabeled_t ipsec_spd_t:association polmatch;
However I did the following to fix this (on both machines running
Fedora 25 targeted policy):
1) iptables -I INPUT 1 -p esp -j ACCEPT
2) Added the following module:
module local 1.0;
require {
type unconfined_t;
type ipsec_spd_t;
type ipsec_t;
class association setcontext;
}
#============= ipsec_t ==============
allow ipsec_t ipsec_spd_t:association setcontext;
# Required because I just run as a basic user. Not sure what you need
allow ipsec_t unconfined_t:association setcontext;
One side ipsec.conf file contents:
version 2.0
config setup
plutorestartoncrash=false
protostack=netkey
plutodebug="all"
# Note: works with either 10 or 32001, however must
# be same on both machines.
secctx-attr-type=32001
conn labeled_test
auto=start
rekey=no
authby=secret
type=transport
left=192.168.1.77
right=192.168.1.64
ike=3des-sha1
phase2=esp
phase2alg=aes-sha1
labeled-ipsec=yes
policy-label=system_u:object_r:ipsec_spd_t:s0
leftprotoport=tcp
rightprotoport=tcp
I could see the correct peer context using getpeercon(3) on my test
client/server:
Server Peer Context: unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
Client Peer Context: unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
Hope you get yours to work now (or you may have it working already ??)
Richard
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
