>>>>>>>>>>cut>>>>>>>>>> eastinit.sh <<<<<<<<<<tuc<<<<<<<<<</testing/guestbin/swan-prep
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# # build install se module
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/semodule.sh ipsecspd.te
Compiling targeted ipsecspd module
Creating targeted ipsecspd.pp policy package
rm tmp/ipsecspd.mod tmp/ipsecspd.mod.fc
[   28.456565] SELinux:  Converting 257 SID table entries...
[   28.467751] SELinux:  policy capability network_peer_controls=1
[   28.468564] SELinux:  policy capability open_perms=1
[   28.469252] SELinux:  policy capability extended_socket_class=1
[   28.470140] SELinux:  policy capability always_check_network=0
[   28.471032] SELinux:  policy capability cgroup_seclabel=1
[   28.471853] SELinux:  policy capability nnp_nosuid_transition=1
[   28.472782] SELinux:  policy capability genfs_seclabel_symlinks=0
[   28.473770] SELinux:  policy capability ioctl_skip_cloexec=0
ipsecspd.pp installed
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# # get pluto going
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec start
Redirecting to: systemctl start ipsec.service
[   29.133224] AVX or AES-NI instructions are not detected.
[   29.140881] AVX or AES-NI instructions are not detected.
[   29.401960] IPv4 over IPsec tunneling driver
[   29.421248] IPsec XFRM device driver
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/wait-until-pluto-started
==== cut ====
000   PID  Process
000   811  addconn
000   811  addconn
try again
000   PID  Process
addconn exited
==== tuc ====
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo 1 > /proc/sys/net/core/xfrm_acq_expires
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec auto --add labeled
002 "labeled": added IKEv2 connection
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec getpeercon_server -d 4300
-> running as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-> creating socket ... ok
-> listening on TCP port 4300 ... ok
-> waiting ... 
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo "initdone"
initdone
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# >>>>>>>>>>cut>>>>>>>>>> final.sh <<<<<<<<<<tuc<<<<<<<<<<../../guestbin/ipsec-look.sh
[   44.920056] alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106(gcm_base(ctr(aes-generic),ghash-generic))))
<- connect(192.1.2.45,unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023)
   quit
-> connection closed
==== cut ====
DUMP IN: OUTPUT/east.ipsec-look.866.log
==== tuc ====
east Sat May 14 13:34:48 EDT 2022
XFRM state:
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xa6a3e318 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xf9d9b5a9ab86fed059fd831d4c47dada9def388f0c89a1ae51701ce754cdc4f59443fea4 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x8, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 000000ff 
	security context system_u:system_r:sshd_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0x8263439c reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0x82e06182c5e2c1ea844864c6388d26b9fa5017164e2d31522cc95d0f4cc78f3097f87ab4 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x6
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
	security context system_u:system_r:sshd_t:s0-s0:c0.c1023 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0x57b81ae4 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0x7d2178026ffc1eb0b2fa89832e49a8ff936b5f3c382315bb6a443c654add84941ae73d4e 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xed57f681 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0x1353edc4ed693b94640a1f219e82ffd62f20495108b73980c23c67093ff023b195ff1c31 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x3
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0x141380a2 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0x846724c9d9f3fa23ef95b584632a5c45a7a8ae92d3672b3599154613c988b0f2856d8900 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x5, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 0000001f 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xa770d52c reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xe8f1a1a0c27a11e55ba046b02fb38bac1e7191ec3beb37b404216a34d276f6bede394f62 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority 1753281 ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid 16389 mode tunnel
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority 1753281 ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid 16389 mode tunnel
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority 1753281 ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid 16389 mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1 proto static
192.0.1.0/24 via 192.1.2.45 dev eth1 proto static onlink
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23
NSS_CERTIFICATES

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive]# >>>>>>>>>> post-mortem >>>>>>>>>>../../guestbin/post-mortem.sh
   PPID     PID    PGID     SID TTY        TPGID STAT   UID   TIME COMMAND
      1     808     808     808 ?             -1 Ssl      0   0:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
:
: checking shutting down pluto
:
ipsec whack --shutdown
pidof pluto
PASS: shutting down pluto
:
: checking core files
:
PASS: core files
:
: checking memory leaks
:
PASS: memory leaks
:
: checking reference leaks
:
PASS: reference leaks
:
: checking xfrm errors
:
ERROR: east: XfrmOutNoStates         	1
IGNORE: xfrm errors
:
: checking state/policy entries
:
PASS: state/policy entries
:
: checking selinux audit records
:
type=AVC msg=audit(1652549686.957:188): avc:  denied  { setcontext } for  pid=808 comm="pluto" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=association permissive=1
FAIL: selinux audit records
saving rules in OUTPUT/post-mortem.east.audit2allow.rules

require {
	type sshd_t;
	type unconfined_service_t;
	class association setcontext;
}

#============= unconfined_service_t ==============
allow unconfined_service_t sshd_t:association setcontext;
:
: unload any selinux modules
:
Unloading ipsecspd
semodule -r ipsecspd
libsemanage.semanage_direct_remove_key: Removing last ipsecspd module (no other ipsecspd module exists at another priority).
[   58.341862] SELinux:  Converting 267 SID table entries...
[   58.352747] SELinux:  policy capability network_peer_controls=1
[   58.353727] SELinux:  policy capability open_perms=1
[   58.354541] SELinux:  policy capability extended_socket_class=1
[   58.355478] SELinux:  policy capability always_check_network=0
[   58.356442] SELinux:  policy capability cgroup_seclabel=1
[   58.357250] SELinux:  policy capability nnp_nosuid_transition=1
[   58.358038] SELinux:  policy capability genfs_seclabel_symlinks=0
[   58.358935] SELinux:  policy capability ioctl_skip_cloexec=0
[root@east ikev2-labeled-ipsec-03-multi-acquires-permissive 1]# >>>>>>>>>>cut>>>>>>>>>> done <<<<<<<<<<tuc<<<<<<<<<<