[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Openswan on FC4/5



Stuart James wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 27 Jun 2006 14:46:29 +0100
Stuart James <stuart secpay com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We are using Openswan to connect two of our sites together via an
IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend
firewalls, including the version of openswan , selinux policy,
kernel ,ect. We used to run in enforcing mode without any
difficulties, it now seems that with Enforcing mode on Openswan
does not seem to be able to add the route.

Using setenforce 0 , the tunnel becomes active. As far as i can
tell Openswan has difficulty adding the route to the Right/Left
nexthop, although the status of the tunnel appears to be up, the
routing does not appear to take place.

#audit2allow -a -t /var/log/audit/audit.log
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to
/usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te

# IPsec
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket setopt;
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
allow ifconfig_t self:netlink_xfrm_socket bind;
allow ifconfig_t self:netlink_xfrm_socket read;
allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
write };

These rules seem to work now.


# IPSEC (openswan-2.4.x)


allow traceroute_t initrc_t:rawip_socket { read write };
allow traceroute_t initrc_t:udp_socket { read write };
allow traceroute_t user_home_dir_t:dir search;

allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket setopt;
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
allow ifconfig_t self:netlink_xfrm_socket bind;
allow ifconfig_t self:netlink_xfrm_socket read;
allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write };
allow unlabeled_t self:association sendto;
allow unlabeled_t self:association recvfrom;


Ok I can add the netlink_xfrm_socket stuff to upstream. They will be in tonights policy

The unlabeled_t should be gone with the latest policy.

I am not sure about

allow ifconfig_t unconfined_t:udp_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow traceroute_t initrc_t:rawip_socket { read write };
allow traceroute_t initrc_t:udp_socket { read write };
allow traceroute_t user_home_dir_t:dir search;

Could you attach avc messages for these?



Regards,

- -- Stuart James
System Administrator
DDI - (44) 0 1765 643354

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEs8Znr8LwOCpshrYRAsy/AKC777P7eAugVKSer5Qlh6WFgsyDdQCeNyyp
6xAQw09KvJ92wtidicpJqhg=
=+sXV
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]