Hello again :) This time it work, and this is what I does:
Add to ipsec.conf this options: secctx-attr-type=32001
This is my config: [root@CnetOS7 netserver]# cat /etc/ipsec.conf version 2
config setup protostack=netkey secctx-attr-type=32001
conn ipsec_selinux_tunnel leftid=@west left=10.5.5.18 leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ== rightid=@east right=10.5.5.10 rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ== authby=rsasig auto=start labeled_ipsec=yes policy_label=system_u:object_r:ipsec_spd_t:s0
In my own domain I coment unlabeled_t allow: netserver.te: ... allow netserver_t ipsec_t:association { polmatch }; allow ipsec_t netserver_t:association { setcontext }; allow ipsec_t ipsec_spd_t:association { setcontext }; #allow unlabeled_t ipsec_spd_t:association { polmatch };
I start my server and client and I have some denied, so I add to my server domain: allow netserver_t netif_t:netif { ingress egress } allow netserver_t node_t:node { sendto recvfrom }
and client domain: allow netclient_t netif_t:netif { ingress egress } allow netclient_t node_t:node { sendto recvfrom } allow netclient_t netserver_t:peer { recv } allow netserver_t netclient_t:peer { recv }
Now work properly: [root@CnetOS7 netserver]# netserver -Z Listening... Connected with 10.5.5.10:44998 Client SELinux conntext: unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023
Retrive: quit [root@CnetOS7 netserver]# ip xfrm state src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x436be694 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4c7d6ff6a191951fc69d9c3def070db3e0d59ae5 96 enc cbc(aes) 0x3c624b14b79e6f2dd632d26d36d90ff7 security context unconfined_u:unconfined_r:netserver_t:s0-s0:c0.c1023 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x3ad8e7fa reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x91a06a54d2fd1899229129489bd1d766b8f00990 96 enc cbc(aes) 0x77a17777f44378970ffa25cdd2a8bd34 security context unconfined_u:unconfined_r:netserver_t:s0-s0:c0.c1023 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x814b2bb1 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x6b72091e994d5790690f8169889e2188b2cbc933 96 enc cbc(aes) 0x5e9d4f9128c995edbf7e46aca6f92950 security context unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xfde27f2f reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xdfa421e570976742d24028a00f391857beac5683 96 enc cbc(aes) 0x9c72f2a72726154130f1c8922e0b173e security context unconfined_u:unconfined_r:netclient_t:s0-s0:c0.c1023 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x9b25639b reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x6adc49b7978217d1a5656b3462f916ef051e43b6 96 enc cbc(aes) 0x4c248f4bc47199b3637b32226d9e7377 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0xc17086fa reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x726602fb3a003b0296bd3c59d0c0631ae8b69619 96 enc cbc(aes) 0x167ce87116d07c4d3436c1631fb6efa4 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xc7ceed20 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x5debc146502f9d8322f79130a695a863a5191edd 96 enc cbc(aes) 0xc66cf0910346412f78aaab9770c98a7d src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x6b36950c reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xe138e77d26e05ffdbfdad7241f505645917a8574 96 enc cbc(aes) 0x874ed487c96261c692672d48e02129f3
So the reason why this not work early is missing option in ipsec.conf? Or it is still bug? Thanks to help
2017-04-06 17:53 GMT+02:00 Richard Haines richard_c_haines@btinternet.com:
On Tue, 2017-04-04 at 18:43 -0400, Paul Wouters wrote:
On 04/04/2017 05:14 PM, Paul Moore wrote:
On Tue, Apr 4, 2017 at 1:43 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Tue, 2017-04-04 at 17:09 +0000, Grzegorz Kuczyński wrote:
[root@CnetOS7 ~]# ip xfrm state src 10.5.5.18 dst 10.5.5.10 proto esp spi 0xedbce21c reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96 enc cbc(aes) 0x442da48e8178c4971275b9d889747536 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x921bce56 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96 enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x3aef0708d244ede7793e328b1937d0b70d425fb7 96 enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x5acea75b reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x731268575b53cfbd9cac20e988cfc5557d381036 96 enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918
Hmm...no security contexts? That would explain why you are getting unlabeled_t. But I guess the question is why is pluto creating SAs without any security contexts. Seems like a bug there, but I am not sure.
What is the configuration? Was labeled-ipsec=yes and policy-label= set? If dealing with RHEL6 or older, it also needs to have secctx-attr- type=10 If not, no security context is set.
https://lists.fedoraproject.org/archives/list/selinux@lists.fedorap roject.org/thread/AXJWXBVF4ZCSPKQ42MWX5LRTD5PGRS7O
Note the references in the documentation to loopback should be removed. It was broken and removed.
Was IKEv1 used? IKEv2 does not support security labels so set ikev2=never
Log files should indicate if any security label was negotiated.
Is this system using MLS?
Paul
Out of idle curiosity I thought I would test this. I set up two machines and finally got this to work. I did have the same problem as yourself: allow unlabeled_t ipsec_spd_t:association polmatch;
However I did the following to fix this (on both machines running Fedora 25 targeted policy):
iptables -I INPUT 1 -p esp -j ACCEPT
Added the following module:
module local 1.0;
require { type unconfined_t; type ipsec_spd_t; type ipsec_t; class association setcontext; }
#============= ipsec_t ============== allow ipsec_t ipsec_spd_t:association setcontext;
# Required because I just run as a basic user. Not sure what you need allow ipsec_t unconfined_t:association setcontext;
One side ipsec.conf file contents:
version 2.0
config setup plutorestartoncrash=false protostack=netkey plutodebug="all" # Note: works with either 10 or 32001, however must # be same on both machines. secctx-attr-type=32001
conn labeled_test auto=start rekey=no authby=secret type=transport left=192.168.1.77 right=192.168.1.64 ike=3des-sha1 phase2=esp phase2alg=aes-sha1 labeled-ipsec=yes policy-label=system_u:object_r:ipsec_spd_t:s0 leftprotoport=tcp rightprotoport=tcp
I could see the correct peer context using getpeercon(3) on my test client/server: Server Peer Context: unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Client Peer Context: unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023
Hope you get yours to work now (or you may have it working already ??)
Richard
On Thu, 2017-04-06 at 20:28 +0200, Grzegorz Kuczyński wrote:
Hello again :) This time it work, and this is what I does:
Add to ipsec.conf this options: secctx-attr-type=32001
This is my config: [root@CnetOS7 netserver]# cat /etc/ipsec.conf version 2
config setup protostack=netkey secctx-attr-type=32001
conn ipsec_selinux_tunnel leftid=@west left=10.5.5.18 leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ== rightid=@east right=10.5.5.10 rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ== authby=rsasig auto=start labeled_ipsec=yes policy_label=system_u:object_r:ipsec_spd_t:s0
In my own domain I coment unlabeled_t allow: netserver.te: ... allow netserver_t ipsec_t:association { polmatch }; allow ipsec_t netserver_t:association { setcontext }; allow ipsec_t ipsec_spd_t:association { setcontext }; #allow unlabeled_t ipsec_spd_t:association { polmatch };
I start my server and client and I have some denied, so I add to my server domain: allow netserver_t netif_t:netif { ingress egress } allow netserver_t node_t:node { sendto recvfrom }
and client domain: allow netclient_t netif_t:netif { ingress egress } allow netclient_t node_t:node { sendto recvfrom } allow netclient_t netserver_t:peer { recv } allow netserver_t netclient_t:peer { recv }
Now work properly: [root@CnetOS7 netserver]# netserver -Z Listening... Connected with 10.5.5.10:44998 Client SELinux conntext: unconfined_u:unconfined_r:netclient_t:s0- s0:c0.c1023
Retrive: quit [root@CnetOS7 netserver]# ip xfrm state src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x436be694 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4c7d6ff6a191951fc69d9c3def070db3e0d59ae5 96 enc cbc(aes) 0x3c624b14b79e6f2dd632d26d36d90ff7 security context unconfined_u:unconfined_r:netserver_t:s0- s0:c0.c1023 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x3ad8e7fa reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x91a06a54d2fd1899229129489bd1d766b8f00990 96 enc cbc(aes) 0x77a17777f44378970ffa25cdd2a8bd34 security context unconfined_u:unconfined_r:netserver_t:s0- s0:c0.c1023 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x814b2bb1 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x6b72091e994d5790690f8169889e2188b2cbc933 96 enc cbc(aes) 0x5e9d4f9128c995edbf7e46aca6f92950 security context unconfined_u:unconfined_r:netclient_t:s0- s0:c0.c1023 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xfde27f2f reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xdfa421e570976742d24028a00f391857beac5683 96 enc cbc(aes) 0x9c72f2a72726154130f1c8922e0b173e security context unconfined_u:unconfined_r:netclient_t:s0- s0:c0.c1023 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x9b25639b reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x6adc49b7978217d1a5656b3462f916ef051e43b6 96 enc cbc(aes) 0x4c248f4bc47199b3637b32226d9e7377 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0xc17086fa reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x726602fb3a003b0296bd3c59d0c0631ae8b69619 96 enc cbc(aes) 0x167ce87116d07c4d3436c1631fb6efa4 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xc7ceed20 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x5debc146502f9d8322f79130a695a863a5191edd 96 enc cbc(aes) 0xc66cf0910346412f78aaab9770c98a7d src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x6b36950c reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xe138e77d26e05ffdbfdad7241f505645917a8574 96 enc cbc(aes) 0x874ed487c96261c692672d48e02129f3
So the reason why this not work early is missing option in ipsec.conf? Or it is still bug?
Not a bug in pluto. Possibly a bug in selinux policy that it lacked at least the allow rule for ipsec_t ipsec_spd_t:association setcontext;, but the other allow rules are necessarily local since you defined those domains.
selinux@lists.fedoraproject.org
-
Grzegorz Kuczyński -
Stephen Smalley