Openswan on FC4/5
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 13 15:16:32 UTC 2006
Stuart James wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 27 Jun 2006 14:46:29 +0100
> Stuart James <stuart at secpay.com> wrote:
>
>
>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hi,
>>>>
>>>> We are using Openswan to connect two of our sites together via an
>>>> IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend
>>>> firewalls, including the version of openswan , selinux policy,
>>>> kernel ,ect. We used to run in enforcing mode without any
>>>> difficulties, it now seems that with Enforcing mode on Openswan
>>>> does not seem to be able to add the route.
>>>>
>>>> Using setenforce 0 , the tunnel becomes active. As far as i can
>>>> tell Openswan has difficulty adding the route to the Right/Left
>>>> nexthop, although the status of the tunnel appears to be up, the
>>>> routing does not appear to take place.
>>>>
>>>> #audit2allow -a -t /var/log/audit/audit.log
>>>> allow ifconfig_t self:netlink_xfrm_socket create;
>>>> allow ifconfig_t initrc_t:unix_stream_socket { read write };
>>>>
>>> I've followed this up in more detail, adding to
>>> /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
>>>
>>> # IPsec
>>> allow ifconfig_t self:netlink_xfrm_socket create;
>>> allow ifconfig_t initrc_t:unix_stream_socket { read write };
>>> allow ifconfig_t self:netlink_xfrm_socket setopt;
>>> allow ifconfig_t initrc_t:udp_socket { read write };
>>> allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
>>> allow ifconfig_t self:netlink_xfrm_socket bind;
>>> allow ifconfig_t self:netlink_xfrm_socket read;
>>> allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
>>> allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
>>> allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
>>> write };
>>>
>>>
>> These rules seem to work now.
>>
>>
>>
> # IPSEC (openswan-2.4.x)
>
>
> allow traceroute_t initrc_t:rawip_socket { read write };
> allow traceroute_t initrc_t:udp_socket { read write };
> allow traceroute_t user_home_dir_t:dir search;
>
> allow ifconfig_t self:netlink_xfrm_socket create;
> allow ifconfig_t initrc_t:unix_stream_socket { read write };
> allow ifconfig_t self:netlink_xfrm_socket setopt;
> allow ifconfig_t initrc_t:udp_socket { read write };
> allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
> allow ifconfig_t self:netlink_xfrm_socket bind;
> allow ifconfig_t self:netlink_xfrm_socket read;
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
> write };
> allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read };
> allow ifconfig_t unconfined_t:udp_socket { read write };
> allow unlabeled_t self:association sendto;
> allow unlabeled_t self:association recvfrom;
>
>
>
Ok I can add the netlink_xfrm_socket stuff to upstream. They will be in
tonights policy
The unlabeled_t should be gone with the latest policy.
I am not sure about
allow ifconfig_t unconfined_t:udp_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow traceroute_t initrc_t:rawip_socket { read write };
allow traceroute_t initrc_t:udp_socket { read write };
allow traceroute_t user_home_dir_t:dir search;
Could you attach avc messages for these?
> Regards,
>
> - --
> Stuart James
> System Administrator
> DDI - (44) 0 1765 643354
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEs8Znr8LwOCpshrYRAsy/AKC777P7eAugVKSer5Qlh6WFgsyDdQCeNyyp
> 6xAQw09KvJ92wtidicpJqhg=
> =+sXV
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list