Hello

I configured Labeled IPSec on CentOS 7 using Libreswan and I found such denied:

type=AVC msg=audit(1491053758.389:1366): avc: denied { polmatch } for pid=0 comm="swapper/0" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:ipsec_spd_t:s0 tclass=association

My config file on both hosts is:

# cat /etc/ipsec.conf

version 2

config setup

protostack=netkey

conn ipsec_selinux_tunnel

...

labeled_ipsec=yes

policy_label=system_u:object_r:ipsec_spd_t:s0

It's looks like process swapper is missing labeled?

I must add this rule to my own module:

allow unlabeled_t ipsec_spd_t:association { polmatch };

This is not a bug?