FC5 - problems setting context
Paul Howarth
paul at city-fan.org
Mon Jun 12 17:00:04 UTC 2006
Sandra Julieta Rueda Rodriguez wrote:
> Hello,
>
> I am new with selinux and I have a problem:
>
> My system: Fedora Core 5, FC5 - 2.6.16-1.2122 SMP
> I am trying to set communication policies between two machines and I am
> using the set of commands implemented by ipsec-tools.
>
> I am running the command: setkey -v -f set.conf
> Contents of the file set.conf (it had more things at the beginning but I
> reduced it while looking for the cause of the error):
> flush;
> spdflush;
> spdadd src dest any -ctx 1 1 "user_u:object_r:user_t" -P out ipsec
> esp/transport//require ;
>
> I always receive the same output at the end: "Invalid Argument".
>
> sadb_msg{ version=2 type=9 errno=0 satype=0
> len=2 reserved=0 seq=0 pid=16090
>
> sadb_msg{ version=2 type=9 errno=0 satype=0
> len=2 reserved=0 seq=0 pid=16090
>
> sadb_msg{ version=2 type=19 errno=0 satype=0
> len=2 reserved=0 seq=0 pid=16090
>
> sadb_msg{ version=2 type=19 errno=0 satype=0
> len=2 reserved=0 seq=0 pid=16090
>
> sadb_msg{ version=2 type=14 errno=0 satype=0
> len=16 reserved=0 seq=0 pid=16090
> sadb_ext{ len=4 type=18 }
> sadb_x_policy{ type=2 dir=2 id=0 priority=2147483648 }
> { len=16 proto=50 mode=1 level=2 reqid=0
> }
> sadb_ext{ len=3 type=5 }
> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
> sockaddr{ len=16 family=2 port=0
> 82cb2034 }
> sadb_ext{ len=3 type=6 }
> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
> sockaddr{ len=16 family=2 port=0
> 82cb2035 }
> sadb_ext{ len=4 type=24 }
> sadb_x_sec_ctx{ doi=1 alg=1 length=23,
> context:user_u:object_r:user_t}
>
> sadb_msg{ version=2 type=14 errno=22 satype=0
> len=2 reserved=0 seq=0 pid=16090
>
> The result of line 4: Invalid argument.
>
> I followed the procedure and it looks like the problem is not related to
> ipsec-tools but to something in the kernel, because it returns errno=22.
> Running the same command without the ctx extension works fine.
>
> Does anyone have any idea?
Perhaps this is another instance where contexts aren't being passed
through libselinux for translation?
Try using this context instead:
user_u:object_r:user_t:s0
Paul.
More information about the fedora-selinux-list
mailing list