On Mon, 26 Jan 2015, Ted Toth wrote:
As I've mentioned before we're using label ipsec with SELinux MLS
policy. On the clients I'm seeing:
within_range: The sl (<selinux context>) is not within range of
(<selinux context>)
security context verification failed (perhaps policy_label is not
configured for this connection)
which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the
source rpm for the openswan version we're using and started looking
for the code that generates these messages but I haven't found it yet
do you know where the within_range check occurs? The level is within
the range but the user/role/type are different.
That's very possible. All the BAD_PROPOSAL_SYNTAX returns stem from
ikev1_spdb_struct.c (formerly spdb_v1_struct.c) problems. One of
those is reading the oakley trans attributes which I believe is
where the policy label is transfered.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
