Openswan on FC4/5

Stuart James stuart at secpay.com
Tue Jun 27 13:46:29 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 27 Jun 2006 12:48:22 +0100
Stuart James <stuart at secpay.com> wrote:



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 26 Jun 2006 09:22:26 +0100
> Stuart James <stuart at secpay.com> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Hi,
> > 
> > We are using Openswan to connect two of our sites together via an
> > IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend
> > firewalls, including the version of openswan , selinux policy,
> > kernel ,ect. We used to run in enforcing mode without any
> > difficulties, it now seems that with Enforcing mode on Openswan does
> > not seem to be able to add the route.
> > 
> > Using setenforce 0 , the tunnel becomes active. As far as i can
> > tell Openswan has difficulty adding the route to the Right/Left
> > nexthop, although the status of the tunnel appears to be up, the
> > routing does not appear to take place.
> > 
> > #audit2allow -a -t /var/log/audit/audit.log
> > allow ifconfig_t self:netlink_xfrm_socket create;
> > allow ifconfig_t initrc_t:unix_stream_socket { read write };
> 
> I've followed this up in more detail, adding to
> /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
> 
> # IPsec
> allow ifconfig_t self:netlink_xfrm_socket create;
> allow ifconfig_t initrc_t:unix_stream_socket { read write };
> allow ifconfig_t self:netlink_xfrm_socket setopt;
> allow ifconfig_t initrc_t:udp_socket { read write };
> allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
> allow ifconfig_t self:netlink_xfrm_socket bind;
> allow ifconfig_t self:netlink_xfrm_socket read;
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
> allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
> write };
> 

These rules seem to work now.


# IPsec
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket setopt;
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
allow ifconfig_t self:netlink_xfrm_socket bind;
allow ifconfig_t self:netlink_xfrm_socket read;
allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read };
allow ifconfig_t unconfined_t:udp_socket { read write };
allow unlabeled_t self:association sendto;
allow unlabeled_t self:association recvfrom;


> 
> 
> As every time i added this, and recompiled the source for the targeted
> policy, i got new errors in the audit.log. Although i have added
> 
> allow ifconfig_t self:netlink_xfrm_socket read;
> 
> I still get it in my audit.log
> 
> When ipsec restarts
> 
> Shutting down IPsec:  Stopping Openswan IPsec...
> Cannot talk to rtnetlink: Invalid argument
> Cannot talk to rtnetlink: Invalid argument
>                                                            [  OK  ]
> Starting IPsec:  Starting Openswan IPsec 2.4.4...
> insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/key/af_key.ko
> insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/ipv4/xfrm4_tunnel.ko
> Cannot talk to rtnetlink: Invalid argument

- -- 
Stuart James
System Administrator
DDI - (44) 0 1765 643354

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEoTa2r8LwOCpshrYRAob5AJ4g14Kb/Z4tWmFv5HtpOLKLWsvRTwCg+l5p
/72yKZ1Mb43+s7mP47Lt6mc=
=gHbh
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list