On Sat, Jul 06, 2013 at 09:21:47PM +0200, Sven Vermeulen wrote: > On Sat, Jul 06, 2013 at 11:40:46AM -0400, Chad Hanson wrote: > > Are you running with MLS policy? I am curious since the last output > > showed: system_u:object_r:ipsec_spd_t:s0-s0:c0.c1023. I would expect > > the following SPD context for MLS: > > system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023. If not using MLS, you > > would always fail in within_range() at > > > > if (!mls_ready) /*mls may not be enabled */ > > return 0 > > > > There should be a log message at the startup of racoon if MLS is > > disabled. I didn't originally notice your original SPD context wasn't > > ranged: system_u:object_r:ipsec_spd_t:s0. This typically would be > > system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 on a MLS system. > > I'm running an MLS-enabled policy (but its MCS, so only a single sensitivity > level but multiple categories). I was thinking about the range as well, but > that doesn't seem to help. Meh, it *was* the mls_ready variable - it was still 0. I didn't see any logs because ipsec-tools initializes its logging (ploginit) /after/ it calls the init_avc, so the log message about MLS being disabled was never shown. Turns out I had to allow racoon_t getattr rights on the security_t filesystem and everything works now. I didn't catch it with permissive mode because I changed to permissive mode /after/ racoon was started. Thanks for all the help! Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
