Re: ipsec module and Libreswan on CentOS 7 denied

OK, I run ipsec-load by hand and I have: x4: RTNETLINK answers: Invalid argument from this rule: ip xfrm policy ... ctx "system_u:object_r:test_spd_t:s0" ... ip xfrm state show nothing... log: type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409613.572:207): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffc059dea50 a2=0 a3=7ffc059de790 items=0 ppid=2966 pid=2967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) So I change test_spd_t to ipsec_spd_t and now ip cmd is ok: ip xfrm policy ... ctx "system_u:object_r:ipsec_spd_t:s0" ... but ... ip xfrm state show nothing... log: type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.370:202): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffff54a6ad0 a2=0 a3=7ffff54a6810 items=0 ppid=2947 pid=2948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.377:203): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=SYSCALL msg=audit(1491409549.377:203): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffeca3ab0e0 a2=0 a3=7ffeca3aae20 items=0 ppid=2947 pid=2958 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.379:204): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=SYSCALL msg=audit(1491409549.379:204): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffca5a8e4e0 a2=0 a3=7ffca5a8e220 items=0 ppid=2947 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.383:205): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.383:205): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffdb6e72080 a2=0 a3=7ffdb6e71dc0 items=0 ppid=2947 pid=2962 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.385:206): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.385:206): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffc76f2f3f0 a2=0 a3=7ffc76f2f130 items=0 ppid=2947 pid=2963 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) So I understand Labeling IPSec work but not with libreswan?