-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 27 Jun 2006 14:46:29 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
These rules seem to work now.
# IPSEC (openswan-2.4.x)
allow traceroute_t initrc_t:rawip_socket { read write }; allow traceroute_t initrc_t:udp_socket { read write }; allow traceroute_t user_home_dir_t:dir search;
allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom;
Regards,
- -- Stuart James System Administrator DDI - (44) 0 1765 643354