[redhat-lspp] new ipsec-tools package

Joy Latten latten at austin.ibm.com
Wed Apr 11 20:31:55 UTC 2007 

On Wed, 2007-04-11 at 15:08 -0500, Joe Nall wrote:
> I'm not having any luck with this package:
> 
> /var/log/message
> 
> Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for  
> 127.0.0.1.
> Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa  
> negotication.
> Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44
> Apr 11 14:57:09 fc6work racoon: INFO: security context:  
> system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023
> Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for  
> 127.0.0.1.
> Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa  
> negotication.
> Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43

Joe, I think this might be happening because of missing info in 
your racoon.conf. Do you have a "remote <ipaddress/anonymous>" statement
in your racoon.conf. Please see the racoon.conf I attached to the bz
235475. 

I will also send to the list my config for labeled ipsec over loopback
so other can also start testing on it.

> setkey -DP
> ...
> 127.0.0.1[any] 127.0.0.1[any] any
>          in prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused:
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=8 seq=13 pid=3351
>          refcnt=1
> 10.211.55.6[any] 10.211.55.6[any] any
>          in prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused:
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=32 seq=12 pid=3351
>          refcnt=1
> 127.0.0.1[any] 127.0.0.1[any] any
>          out prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused: Apr 11 15:00:11 2007
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=1 seq=11 pid=3351
>          refcnt=41
> 10.211.55.6[any] 10.211.55.6[any] any
>          out prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused: Apr 11 14:59:39 2007
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=25 seq=10 pid=3357
>          refcnt=3
> 127.0.0.1[any] 127.0.0.1[any] any
>          fwd prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused:
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=18 seq=9 pid=3357
>          refcnt=1
> 10.211.55.6[any] 10.211.55.6[any] any
>          fwd prio def ipsec
>          esp/transport//require
>          created: Apr 11 09:46:32 2007  lastused:
>          lifetime: 0(s) validtime: 0(s)
>          security context doi: 1
>          security context algorithm: 1
>          security context length: 46
>          security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>          spid=42 seq=8 pid=3357
>          refcnt=1
> 

ipsec policy looks good.

> /var/log/audit/audit.log has lots of polmatch avcs
> 
> type=AVC msg=audit(1176302177.663:28): avc:  denied  { polmatch }  
> for  pid=2129 comm="cupsd"  
> scontext=system_u:system_r:cupsd_t:s15:c0.c1023  
> tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023  
> tclass=association
> type=AVC msg=audit(1176302177.663:28): avc:  denied  { sendto } for   
> pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023  
> tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association
> type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102  
> success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128  
> pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0  
> sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"  
> subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null)
> 
Yes, this is a policy issue here. cupsd_t does not have permission to
use ipsec policy containing label, ipsec_spd_t.

In the latest LSPP policy, Dan W. has added ipsec policy such that
everything in "domain" has permission to use default ipsec policy type,
ipsec_spd_t.

I am not absolutely sure, but I THINK Chris P. also made the changes to
general selinux policy. 


Joy

More information about the redhat-lspp mailing list