SElinux and Labeled IPsec VPN: Difference between revisions
Jump to navigation
Jump to search
Paul Wouters (talk | contribs) (Created page with " When SElinux is enabled with a '''targeted policy''', network labels can be configured on the VPN tunnel to restrict the security context that is allowed to pass via the VPN...") |
Paul Wouters (talk | contribs) mNo edit summary |
||
| Line 22: | Line 22: | ||
auto=start | auto=start | ||
# Enable Labelled IPsec | # Enable Labelled IPsec | ||
labeled-ipsec=yes | |||
# the policy you want to allow across the VPN | # the policy you want to allow across the VPN | ||
policy-label=system_u:object_r:ipsec_spd_t:s0 | |||
</pre> | </pre> | ||
Revision as of 21:52, 6 April 2017
When SElinux is enabled with a targeted policy, network labels can be configured on the VPN tunnel to restrict the security context that is allowed to pass via the VPN tunnel.
This basically looks like:
# /etc/ipsec.conf
config setup
protostack=netkey
# Use the private use number 32001. Older openswan versions use the squatted value of 10.
secctx-attr-type=32001
conn ipsec_selinux_tunnel
leftid=@west
left=1.2.3.4
leftrsasigkey=0sAQ[...]
rightid=@east
right=5.6.7.8
rightrsasigkey=0sAQ[...]
authby=rsasig
auto=start
# Enable Labelled IPsec
labeled-ipsec=yes
# the policy you want to allow across the VPN
policy-label=system_u:object_r:ipsec_spd_t:s0
Note that some seliux-policy versions are missing one policy and you might need to add the following selinux module:
module local 1.0;
require {
type unconfined_t;
type ipsec_spd_t;
type ipsec_t;
class association setcontext;
}
#============= ipsec_t ==============
allow ipsec_t ipsec_spd_t:association setcontext;
# Required if you run as a basic user.
allow ipsec_t unconfined_t:association setcontext;