OK, I run ipsec-load by hand and I have:
x4:
RTNETLINK answers: Invalid argument
from this rule:
ip xfrm policy ... ctx "system_u:object_r:test_spd_t:s0" ...
ip xfrm state
show nothing...
log:
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409613.572:207): arch=c000003e syscall=46 success=yes exit=16
a0=4 a1=7ffc059dea50 a2=0 a3=7ffc059de790 items=0 ppid=2966 pid=2967 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
So I change test_spd_t to ipsec_spd_t and now ip cmd is ok:
ip xfrm policy ... ctx "system_u:object_r:ipsec_spd_t:s0" ...
but ...
ip xfrm state
show nothing...
log:
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.370:202): arch=c000003e syscall=46 success=yes exit=16
a0=4 a1=7ffff54a6ad0 a2=0 a3=7ffff54a6810 items=0 ppid=2947 pid=2948 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.377:203): op=SPD-add auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=SYSCALL msg=audit(1491409549.377:203): arch=c000003e syscall=46 success=yes exit=300
a0=4 a1=7ffeca3ab0e0 a2=0 a3=7ffeca3aae20 items=0 ppid=2947 pid=2958 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.379:204): op=SPD-add auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1
type=SYSCALL msg=audit(1491409549.379:204): arch=c000003e syscall=46 success=yes exit=300
a0=4 a1=7ffca5a8e4e0 a2=0 a3=7ffca5a8e220 items=0 ppid=2947 pid=2959 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.383:205): op=SPD-add auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.383:205): arch=c000003e syscall=46 success=yes exit=300
a0=4 a1=7ffdb6e72080 a2=0 a3=7ffdb6e71dc0 items=0 ppid=2947 pid=2962 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=MAC_IPSEC_EVENT msg=audit(1491409549.385:206): op=SPD-add auid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1
sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
type=SYSCALL msg=audit(1491409549.385:206): arch=c000003e syscall=46 success=yes exit=300
a0=4 a1=7ffc76f2f3f0 a2=0 a3=7ffc76f2f130 items=0 ppid=2947 pid=2963 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
So I understand Labeling IPSec work but not with libreswan?