-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 27 Jun 2006 12:48:22 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 26 Jun 2006 09:22:26 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
These rules seem to work now.
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom;
As every time i added this, and recompiled the source for the targeted policy, i got new errors in the audit.log. Although i have added
allow ifconfig_t self:netlink_xfrm_socket read;
I still get it in my audit.log
When ipsec restarts
Shutting down IPsec: Stopping Openswan IPsec... Cannot talk to rtnetlink: Invalid argument Cannot talk to rtnetlink: Invalid argument [ OK ] Starting IPsec: Starting Openswan IPsec 2.4.4... insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/key/af_key.ko insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/ipv4/xfrm4_tunnel.ko Cannot talk to rtnetlink: Invalid argument
- -- Stuart James System Administrator DDI - (44) 0 1765 643354