[redhat-lspp] new ipsec-tools package
Joy Latten
latten at austin.ibm.com
Wed Apr 11 20:31:55 UTC 2007
On Wed, 2007-04-11 at 15:08 -0500, Joe Nall wrote:
> I'm not having any luck with this package:
>
> /var/log/message
>
> Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for
> 127.0.0.1.
> Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa
> negotication.
> Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44
> Apr 11 14:57:09 fc6work racoon: INFO: security context:
> system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023
> Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for
> 127.0.0.1.
> Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa
> negotication.
> Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43
Joe, I think this might be happening because of missing info in
your racoon.conf. Do you have a "remote <ipaddress/anonymous>" statement
in your racoon.conf. Please see the racoon.conf I attached to the bz
235475.
I will also send to the list my config for labeled ipsec over loopback
so other can also start testing on it.
> setkey -DP
> ...
> 127.0.0.1[any] 127.0.0.1[any] any
> in prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=8 seq=13 pid=3351
> refcnt=1
> 10.211.55.6[any] 10.211.55.6[any] any
> in prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=32 seq=12 pid=3351
> refcnt=1
> 127.0.0.1[any] 127.0.0.1[any] any
> out prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused: Apr 11 15:00:11 2007
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=1 seq=11 pid=3351
> refcnt=41
> 10.211.55.6[any] 10.211.55.6[any] any
> out prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused: Apr 11 14:59:39 2007
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=25 seq=10 pid=3357
> refcnt=3
> 127.0.0.1[any] 127.0.0.1[any] any
> fwd prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=18 seq=9 pid=3357
> refcnt=1
> 10.211.55.6[any] 10.211.55.6[any] any
> fwd prio def ipsec
> esp/transport//require
> created: Apr 11 09:46:32 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> security context doi: 1
> security context algorithm: 1
> security context length: 46
> security context: system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> spid=42 seq=8 pid=3357
> refcnt=1
>
ipsec policy looks good.
> /var/log/audit/audit.log has lots of polmatch avcs
>
> type=AVC msg=audit(1176302177.663:28): avc: denied { polmatch }
> for pid=2129 comm="cupsd"
> scontext=system_u:system_r:cupsd_t:s15:c0.c1023
> tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> tclass=association
> type=AVC msg=audit(1176302177.663:28): avc: denied { sendto } for
> pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023
> tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association
> type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102
> success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128
> pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
> subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null)
>
Yes, this is a policy issue here. cupsd_t does not have permission to
use ipsec policy containing label, ipsec_spd_t.
In the latest LSPP policy, Dan W. has added ipsec policy such that
everything in "domain" has permission to use default ipsec policy type,
ipsec_spd_t.
I am not absolutely sure, but I THINK Chris P. also made the changes to
general selinux policy.
Joy
More information about the redhat-lspp
mailing list