On 10/15/2009 09:27 AM, Xavier Toth wrote:
On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys
<joshua.roys(a)gtri.gatech.edu> wrote:
> On 10/14/2009 03:42 PM, Daniel J Walsh wrote:
>>
>> On 10/14/2009 01:30 PM, Joshua Roys wrote:
>>>
>>> avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500
>>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
>>>
>
> Looking at policy/mls, I see this:
> # the peer/packet recv op
> mlsconstrain { peer packet } { recv }
> (( l1 dom l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
>
> mlsnetreadtoclr appears to only be granted via:
> policy/modules/kernel/mls.if: mls_socket_read_to_clearance
> which is not granted to racoon_t
>
Hello,
We have ipsec working again, using something like:
($local_t and $remote_t being the local and remote types)
mls_socket_read_to_clearance(racoon_t)
allow $local_t $remote_t:association polmatch;
allow $remote_t $local_t:association polmatch;
allow $local_t $remote_t:peer recv;
Thanks for the tips,
Joshua Roys