Labeled IPSec trying to match policy for peer label?

[Sven Vermeulen <sven.vermeulen@siphos.be>]

Hi all,

I'm trying to get a Labeled IPSec working, but the moment I enable a context
on the SPD, any attempt to set up an SA (by racoon) fails with the following
message:

Jul  5 20:25:16 test racoon: INFO: respond new phase 2 negotiation: 192.168.100.152[500]<=>192.168.100.153[500]
Jul  5 20:25:16 test racoon: ERROR: no policy found: 10.1.3.0/24[0] 10.1.2.0/24[0] proto=any dir=in sec_ctx:doi=1,alg=1,len=24,str=root:sysadm_r:ping_t:s0
Jul  5 20:25:16 test racoon: ERROR: failed to get proposal for responder.

There is (of course?) no policy for ping_t, only for ipsec_spd_t. Let me
show you the setkey instructions:

spdadd 10.1.2.0/24 10.1.3.0/24 any -ctx 1 1
  "system_u:object_r:ipsec_spd_t:s0" -P out ipsec
  esp/tunnel/192.168.100.152-192.168.100.153/require;

spdadd 10.1.3.0/24 10.1.2.0/24 any -ctx 1 1
  "system_u:object_r:ipsec_spd_t:s0" -P in ipsec
  esp/tunnel/192.168.100.153-192.168.100.152/require;

If I drop the "-ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"" then the IPSec
works (I verified that it is indeed IPSec traffic). For allowing ping to
work across the Labeled IPSec setup, I have added allow rules for kernel_t
and ping_t to association:polmatch against ipsec_spd_t (without those, IPSec
isn't used as expected).

Considering I get the error message on the server side tells me that the
label is properly passed on (so ping_t is the peer label) but I was
expecting that it would match the policy on the ipsec_spd_t context?

What am I missing here? Is there a particular check that IPSec does further
that I'm not seeing (no denials are shown, even disabled all dontaudits)?

On the client side (where ping is invoked) the following is logged:

Jul  5 20:24:32 test racoon: INFO: initiate new phase 2 negotiation: 192.168.100.153[500]<=>192.168.100.152[500]
Jul  5 20:24:58 test racoon: INFO: unsupported PF_KEY message REGISTER
Jul  5 20:25:06 test racoon: INFO: security context doi: 1
Jul  5 20:25:06 test racoon: INFO: security context algorithm: 1
Jul  5 20:25:06 test racoon: INFO: security context length: 24
Jul  5 20:25:06 test racoon: INFO: security context: root:sysadm_r:ping_t:s0
Jul  5 20:25:06 test racoon: NOTIFY: no in-bound policy found: 10.1.2.0/24[0] 10.1.3.0/24[0] proto=any dir=in sec_ctx:doi=1,alg=1,len=24,str=root:sysadm_r:ping_t:s0
Jul  5 20:25:06 test racoon: INFO: initiate new phase 2 negotiation: 192.168.100.153[500]<=>192.168.100.152[500]
Jul  5 20:25:36 test racoon: INFO: IPsec-SA expired: ESP/Tunnel 192.168.100.152[500]->192.168.100.153[500] spi=220218943(0xd20463f)
Jul  5 20:25:36 test racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.


Wkr,
  Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.