<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
New to F11 but I have openswan working in ubuntu. Openswan installed
without problems but when I run ipsec setup --start I get SELinux
errors. A co-worker using F10 has the same ipsec.conf working just fine
but he disabled the SELinux, which I would rather not do. Here is the
ipsec.conf and my company.conf:<br>
<br>
Any help would be great?????<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
#<br>
# Manual: ipsec.conf.5<br>
#<br>
# Please place your own config files in /etc/ipsec.d/ ending in .conf<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<br>
# klipsdebug=none<br>
# plutodebug="control parsing"<br>
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<br>
protostack=netkey<br>
nat_traversal=yes<br>
virtual_private=<br>
oe=off<br>
# Enable this if you see "failed to find any available worker"<br>
nhelpers=0<br>
<br>
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.<br>
include /etc/ipsec.d/company.conf<br>
<br>
company.conf:<br>
<br>
conn company<br>
authby=secret<br>
type=tunnel<br>
keyingtries=1<br>
keyexchange=ike<br>
ike=3des-md5<br>
esp=3des-md5<br>
pfs=yes<br>
auto=start<br>
left=%defaultroute<br>
right=xxx.xxx.xxx.xxx<br>
rightsubnet=xxx.xxx.xxx.xxx/24<br>
<br>
# disable opportunistic encryption<br>
#conn block<br>
# auto=ignore<br>
<br>
#conn private<br>
# auto=ignore<br>
<br>
#conn private-or-clear<br>
# auto=ignore<br>
<br>
#conn clear-or-private<br>
# auto=ignore<br>
#conn clear<br>
# auto=ignore<br>
<br>
#conn packetdefault<br>
# auto=ignore<br>
I also get the following, I assume it's because of the policy issues:<br>
<br>
[root@localhost etc]# ipsec setup --start<br>
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.29.4-167.fc11.i686.PAE...<br>
[root@localhost etc]# ipsec setup --status<br>
IPsec stopped<br>
but...<br>
has subsystem lock (/var/lock/subsys/ipsec)!<br>
<br>
<br>
Summary:<br>
<br>
SELinux is preventing the lwdnsq from using potentially mislabeled files (tmp).<br>
<br>
Allowing Access:<br>
<br>
If you want lwdnsq to access this files, you need to relabel them using<br>
restorecon -v 'tmp'. You might want to relabel the entire directory using<br>
restorecon -R -v 'tmp'.<br>
<br>
Additional Information:<br>
<br>
Source Context unconfined_u:system_r:ipsec_t:s0<br>
Target Context system_u:object_r:tmp_t:s0<br>
Target Objects tmp [ dir ]<br>
Source pluto<br>
Source Path /usr/libexec/ipsec/pluto<br>
Port <Unknown><br>
Host localhost.localdomain<br>
Source RPM Packages openswan-2.6.21-4.fc11<br>
Target RPM Packages filesystem-2.4.21-1.fc11<br>
Policy RPM selinux-policy-3.6.12-53.fc11<br>
Selinux Enabled True<br>
Policy Type targeted<br>
MLS Enabled True<br>
Enforcing Mode Enforcing<br>
Plugin Name home_tmp_bad_labels<br>
Host Name localhost.localdomain<br>
Platform Linux localhost.localdomain<br>
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27<br>
17:28:22 EDT 2009 i686 i686<br>
Alert Count 64<br>
First Seen Sat 27 Jun 2009 11:45:49 PM EDT<br>
Last Seen Sun 28 Jun 2009 12:03:35 AM EDT<br>
Local ID 91b6246f-d163-4a4a-a779-fc9d07b55601<br>
Line Numbers <br>
<br>
Summary:<br>
<br>
SELinux is preventing pluto (ipsec_t) "write" to etc (etc_t).<br>
<br>
Allowing Access:<br>
<br>
You can attempt to fix file context by executing restorecon -v 'etc'<br>
<br>
Fix Command:<br>
<br>
restorecon 'etc'<br>
<br>
Additional Information:<br>
<br>
Source Context unconfined_u:system_r:ipsec_t:s0<br>
Target Context system_u:object_r:etc_t:s0<br>
Target Objects etc [ dir ]<br>
Source pluto<br>
Source Path /usr/libexec/ipsec/pluto<br>
Port <Unknown><br>
Host localhost.localdomain<br>
Source RPM Packages openswan-2.6.21-4.fc11<br>
Target RPM Packages filesystem-2.4.21-1.fc11<br>
Policy RPM selinux-policy-3.6.12-53.fc11<br>
Selinux Enabled True<br>
Policy Type targeted<br>
MLS Enabled True<br>
Enforcing Mode Enforcing<br>
Plugin Name mislabeled_file<br>
Host Name localhost.localdomain<br>
Platform Linux localhost.localdomain<br>
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27<br>
17:28:22 EDT 2009 i686 i686<br>
Alert Count 24<br>
First Seen Sat 27 Jun 2009 11:50:33 PM EDT<br>
Last Seen Sun 28 Jun 2009 12:03:35 AM EDT<br>
Local ID 9b0d01dd-ff64-442d-b583-51cda0cbd751<br>
Line Numbers <br>
<br>
Summary:<br>
<br>
SELinux is preventing ip (ifconfig_t) "write" ipsec_t.<br>
<br>
Allowing Access:<br>
<br>
You can generate a local policy module to allow this access - see FAQ<br>
(<a href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385" target="_blank">http://fedora.redhat.com/docs/selinu...fc5/#id2961385</a>) Or you can disable<br>
SELinux protection altogether. Disabling SELinux protection is not recommended.<br>
Please file a bug report (<a href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi" target="_blank">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi</a>)<br>
against this package.<br>
<br>
Additional Information:<br>
<br>
Source Context unconfined_u:system_r:ifconfig_t:s0<br>
Target Context unconfined_u:system_r:ipsec_t:s0<br>
Target Objects pipe [ fifo_file ]<br>
Source ip<br>
Source Path /sbin/ip<br>
Port <Unknown><br>
Host localhost.localdomain<br>
Source RPM Packages iproute-2.6.29-2.fc11<br>
Target RPM Packages <br>
Policy RPM selinux-policy-3.6.12-53.fc11<br>
Selinux Enabled True<br>
Policy Type targeted<br>
MLS Enabled True<br>
Enforcing Mode Enforcing<br>
Plugin Name catchall<br>
Host Name localhost.localdomain<br>
Platform Linux localhost.localdomain<br>
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27<br>
17:28:22 EDT 2009 i686 i686<br>
Alert Count 4<br>
First Seen Sat 27 Jun 2009 11:54:53 PM EDT<br>
Last Seen Sun 28 Jun 2009 12:03:36 AM EDT<br>
Local ID 6b242134-23b8-45ca-85f4-216ad6c384fd<br>
Line Numbers <br>
<br>
<br>
Summary:<br>
<br>
SELinux is preventing setup (ipsec_mgmt_t) "write" to / (root_t).<br>
<br>
Allowing Access:<br>
<br>
You can attempt to fix file context by executing restorecon -v '/'<br>
<br>
Fix Command:<br>
<br>
restorecon '/'<br>
<br>
Additional Information:<br>
<br>
Source Context unconfined_u:system_r:ipsec_mgmt_t:s0<br>
Target Context system_u:object_r:root_t:s0<br>
Target Objects / [ dir ]<br>
Source setup<br>
Source Path /bin/bash<br>
Port <Unknown><br>
Host localhost.localdomain<br>
Source RPM Packages bash-4.0-6.fc11<br>
Target RPM Packages filesystem-2.4.21-1.fc11<br>
Policy RPM selinux-policy-3.6.12-53.fc11<br>
Selinux Enabled True<br>
Policy Type targeted<br>
MLS Enabled True<br>
Enforcing Mode Enforcing<br>
Plugin Name mislabeled_file<br>
Host Name localhost.localdomain<br>
Platform Linux localhost.localdomain<br>
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27<br>
17:28:22 EDT 2009 i686 i686<br>
Alert Count 4<br>
First Seen Sat 27 Jun 2009 11:55:04 PM EDT<br>
Last Seen Sun 28 Jun 2009 12:03:46 AM EDT<br>
Local ID 01d8f932-d15c-4bd7-ad19-969a42b5a634<br>
Line Numbers
<br /><hr />Windows Live™ SkyDrive™: Get 25 GB of free online storage. <a href='http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009' target='_new'>Get it on your BlackBerry or iPhone.</a></body>
</html>