[redhat-lspp] new ipsec-tools package
Joe Nall
joe at nall.com
Wed Apr 11 20:08:51 UTC 2007
I'm not having any luck with this package:
/var/log/message
Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for
127.0.0.1.
Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa
negotication.
Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1
Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1
Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44
Apr 11 14:57:09 fc6work racoon: INFO: security context:
system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023
Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for
127.0.0.1.
Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa
negotication.
Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1
Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1
Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43
setkey -DP
...
127.0.0.1[any] 127.0.0.1[any] any
in prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=8 seq=13 pid=3351
refcnt=1
10.211.55.6[any] 10.211.55.6[any] any
in prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=32 seq=12 pid=3351
refcnt=1
127.0.0.1[any] 127.0.0.1[any] any
out prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused: Apr 11 15:00:11 2007
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=1 seq=11 pid=3351
refcnt=41
10.211.55.6[any] 10.211.55.6[any] any
out prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused: Apr 11 14:59:39 2007
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=25 seq=10 pid=3357
refcnt=3
127.0.0.1[any] 127.0.0.1[any] any
fwd prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=18 seq=9 pid=3357
refcnt=1
10.211.55.6[any] 10.211.55.6[any] any
fwd prio def ipsec
esp/transport//require
created: Apr 11 09:46:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
security context doi: 1
security context algorithm: 1
security context length: 46
security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
spid=42 seq=8 pid=3357
refcnt=1
/var/log/audit/audit.log has lots of polmatch avcs
type=AVC msg=audit(1176302177.663:28): avc: denied { polmatch }
for pid=2129 comm="cupsd"
scontext=system_u:system_r:cupsd_t:s15:c0.c1023
tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
tclass=association
type=AVC msg=audit(1176302177.663:28): avc: denied { sendto } for
pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023
tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association
type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102
success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128
pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null)
I'm running a modified version of the 2.5.2 policy with xace changes
from Eamon Walsh. I'll try to build a box with current LSPP policy to
determine if it a policy issue.
joe
More information about the redhat-lspp
mailing list