SElinux and Labeled IPsec VPN

From Libreswan
Revision as of 20:50, 6 April 2017 by Paul Wouters (talk | contribs) (Created page with " When SElinux is enabled with a '''targeted policy''', network labels can be configured on the VPN tunnel to restrict the security context that is allowed to pass via the VPN...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

When SElinux is enabled with a targeted policy, network labels can be configured on the VPN tunnel to restrict the security context that is allowed to pass via the VPN tunnel.

This basically looks like:

# /etc/ipsec.conf

config setup
    protostack=netkey
    # Use the private use number 32001. Older openswan versions use the squatted value of 10.
    secctx-attr-type=32001

conn ipsec_selinux_tunnel
    leftid=@west
    left=1.2.3.4
    leftrsasigkey=0sAQ[...]
    rightid=@east
    right=5.6.7.8
    rightrsasigkey=0sAQ[...]
    authby=rsasig
    auto=start
    # Enable Labelled IPsec
    labeled_ipsec=yes
    # the policy you want to allow across the VPN
    policy_label=system_u:object_r:ipsec_spd_t:s0

Note that some seliux-policy versions are missing one policy and you might need to add the following selinux module:

module local 1.0;

require {
	type unconfined_t;
	type ipsec_spd_t;
	type ipsec_t;
	class association setcontext;
}

#============= ipsec_t ==============
allow ipsec_t ipsec_spd_t:association setcontext;

# Required if you run as a basic user. 
allow ipsec_t unconfined_t:association setcontext;