The problem turned out to be that the connection selinux type was not defined in the policy on the client so that the avc_has_perm failed. I'd have expected to see the "within_range: Unable to retrieve sid for sl context ..." message instead of the "within_range: The sl (<selinux context>) is not within range of (<selinux context>)" message. Maybe I'm not looking at the right source (security_selinux.c). I installed a policy module which defined the type and the errors stopped.
On Mon, Jan 26, 2015 at 5:52 PM, Paul Wouters <[email protected]> wrote: > On Mon, 26 Jan 2015, Ted Toth wrote: > >> As I've mentioned before we're using label ipsec with SELinux MLS >> policy. On the clients I'm seeing: >> >> within_range: The sl (<selinux context>) is not within range of >> (<selinux context>) >> security context verification failed (perhaps policy_label is not >> configured for this connection) >> >> which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the >> source rpm for the openswan version we're using and started looking >> for the code that generates these messages but I haven't found it yet >> do you know where the within_range check occurs? The level is within >> the range but the user/role/type are different. > > > That's very possible. All the BAD_PROPOSAL_SYNTAX returns stem from > ikev1_spdb_struct.c (formerly spdb_v1_struct.c) problems. One of > those is reading the oakley trans attributes which I believe is > where the policy label is transfered. > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
