Openswan on FC4/5

[Stuart James]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We are using Openswan to connect two of our sites together via an IPSEC
tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls,
including the version of openswan , selinux policy, kernel ,ect. We used
to run in enforcing mode without any difficulties, it now seems that
with Enforcing mode on Openswan does not seem to be able to add the
route.

Using setenforce 0 , the tunnel becomes active. As far as i can
tell Openswan has difficulty adding the route to the Right/Left nexthop,
although the status of the tunnel appears to be up, the routing does not
appear to take place.

#audit2allow -a -t /var/log/audit/audit.log
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };

Versions we are using are.
selinux-policy-targeted-2.2.43-4.fc5
kernel-2.6.16-1.2122_FC5
openswan-2.4.4-1.1.2.1

As i have not seen any other mention of this being an issue, I was
wondering if anyone else has encountered this. I have also tested this
on FC4 with the same result.

Am i right in assuming that openswan is using ifconfig to add the
route, i have looked into the source policy that define ipsec which has
no reference to ifconfig, but rather to ipsec eroute.

I am not sure if this just defined in the wrong place, or if it needs
ifconfig to be added into the policy.


Regards,


Stuart James


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEn5lKr8LwOCpshrYRAr+gAJ9y7uL7WOco3Pxj4gg0gWlrqhGRIQCeLIFu
Cfnub95XnvCsMRwxI9ojSek=
=dXrv
-----END PGP SIGNATURE-----