On Tue, 2017-04-04 at 17:09 +0000, Grzegorz KuczyĆski wrote:
[root@CnetOS7 ~]# ip xfrm state
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0xedbce21c reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1)
0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96
enc cbc(aes) 0x442da48e8178c4971275b9d889747536
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0x921bce56 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1)
0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96
enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69
src 10.5.5.10 dst 10.5.5.18
proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1)
0x3aef0708d244ede7793e328b1937d0b70d425fb7 96
enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276
src 10.5.5.18 dst 10.5.5.10
proto esp spi 0x5acea75b reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1)
0x731268575b53cfbd9cac20e988cfc5557d381036 96
enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918
Hmm...no security contexts? That would explain why you are getting
unlabeled_t. But I guess the question is why is pluto creating SAs
without any security contexts. Seems like a bug there, but I am not
sure.
This unlabeled flow is can be initiated from my own domain for
simple
server TCP and client communicate via this tunnel?
What You means writing about "sample configuration" in Second
paragraph?
git clone
https://github.com/SELinuxProject/selinux-testsuite
cd selinux-testsuite
cat selinux-testsuite/inet_socket/ipsec-load
That however is a manual configuration; doesn't use libreswan. Might
be interesting though to confirm that the test works for you. You'll
notice that if you run the ipsec-load script by hand and then run ip
xfrm state, you'll see security contexts configured there.
Another reference is the SELinux Notebook,
http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html
There is both the book itself and a source tarball with sample
configurations.
tar xzf notebook-source-4.0.tar.gz
cd notebook-source
cat basic-selinux-policy/CIL/message-filter/ipsec.conf