/testing/guestbin/swan-prep east # # build install se module east # ../../guestbin/semodule.sh ipsecspd.te Compiling targeted ipsecspd module Creating targeted ipsecspd.pp policy package rm tmp/ipsecspd.mod tmp/ipsecspd.mod.fc ipsecspd.pp installed east # # get pluto going east # ipsec start Redirecting to: [initsystem] east # ../../guestbin/wait-until-pluto-started east # echo 1 > /proc/sys/net/core/xfrm_acq_expires east # ipsec auto --add labeled 002 "labeled": added IKEv2 connection east # ipsec getpeercon_server -d 4300 -> running as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -> creating socket ... ok -> listening on TCP port 4300 ... ok -> waiting ... east # echo "initdone" initdone east # ../../guestbin/ipsec-look.sh <- connect(192.1.2.45,unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023) quit -> connection closed east NOW XFRM state: src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context system_u:system_r:sshd_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context system_u:system_r:sshd_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 XFRM policy: src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir out priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 security context system_u:object_r:ipsec_spd_t:s0 dir fwd priority PRIORITY ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 security context system_u:object_r:ipsec_spd_t:s0 dir in priority PRIORITY ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 via 192.1.2.45 dev eth1 192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI east # >>>>>>>>>> post-mortem >>>>>>>>>>../../guestbin/post-mortem.sh PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 808 808 808 ? -1 Ssl 0 0:00 PATH/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork : : checking shutting down pluto : ipsec whack --shutdown pidof pluto PASS: shutting down pluto : : checking core files : PASS: core files : : checking memory leaks : PASS: memory leaks : : checking reference leaks : PASS: reference leaks : : checking xfrm errors : ERROR: east: XfrmOutNoStates 1 IGNORE: xfrm errors : : checking state/policy entries : PASS: state/policy entries : : checking selinux audit records : type=AVC msg=audit(1652549686.957:188): avc: denied { setcontext } for pid=808 comm="pluto" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=association permissive=1 FAIL: selinux audit records saving rules in OUTPUT/post-mortem.east.audit2allow.rules require { type sshd_t; type unconfined_service_t; class association setcontext; } #============= unconfined_service_t ============== allow unconfined_service_t sshd_t:association setcontext; : : unload any selinux modules : Unloading ipsecspd semodule -r ipsecspd libsemanage.semanage_direct_remove_key: Removing last ipsecspd module (no other ipsecspd module exists at another priority). east #