SElinux and Labeled IPsec VPN
Jump to navigation
Jump to search
When SElinux is enabled with a targeted policy, network labels can be configured on the VPN tunnel to restrict the security context that is allowed to pass via the VPN tunnel.
This basically looks like:
# /etc/ipsec.conf config setup protostack=netkey # Use the private use number 32001. Older openswan versions use the squatted value of 10. secctx-attr-type=32001 conn ipsec_selinux_tunnel leftid=@west left=1.2.3.4 leftrsasigkey=0sAQ[...] rightid=@east right=5.6.7.8 rightrsasigkey=0sAQ[...] authby=rsasig auto=start # Enable Labelled IPsec labeled_ipsec=yes # the policy you want to allow across the VPN policy_label=system_u:object_r:ipsec_spd_t:s0
Note that some seliux-policy versions are missing one policy and you might need to add the following selinux module:
module local 1.0; require { type unconfined_t; type ipsec_spd_t; type ipsec_t; class association setcontext; } #============= ipsec_t ============== allow ipsec_t ipsec_spd_t:association setcontext; # Required if you run as a basic user. allow ipsec_t unconfined_t:association setcontext;