Glad to hear you found the issue. Everything else looked good, especially once you added the MCS range. On Sun, Jul 7, 2013 at 4:33 AM, Sven Vermeulen <sven.vermeulen@xxxxxxxxx> wrote: > On Sat, Jul 06, 2013 at 09:21:47PM +0200, Sven Vermeulen wrote: >> On Sat, Jul 06, 2013 at 11:40:46AM -0400, Chad Hanson wrote: >> > Are you running with MLS policy? I am curious since the last output >> > showed: system_u:object_r:ipsec_spd_t:s0-s0:c0.c1023. I would expect >> > the following SPD context for MLS: >> > system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023. If not using MLS, you >> > would always fail in within_range() at >> > >> > if (!mls_ready) /*mls may not be enabled */ >> > return 0 >> > >> > There should be a log message at the startup of racoon if MLS is >> > disabled. I didn't originally notice your original SPD context wasn't >> > ranged: system_u:object_r:ipsec_spd_t:s0. This typically would be >> > system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023 on a MLS system. >> >> I'm running an MLS-enabled policy (but its MCS, so only a single sensitivity >> level but multiple categories). I was thinking about the range as well, but >> that doesn't seem to help. > > Meh, it *was* the mls_ready variable - it was still 0. > > I didn't see any logs because ipsec-tools initializes its logging (ploginit) > /after/ it calls the init_avc, so the log message about MLS being disabled > was never shown. > > Turns out I had to allow racoon_t getattr rights on the security_t > filesystem and everything works now. I didn't catch it with permissive mode > because I changed to permissive mode /after/ racoon was started. > > Thanks for all the help! > > Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
