/testing/guestbin/swan-prep
east #
 # build install se module
east #
 ../../guestbin/semodule.sh ipsecspd.te
Compiling targeted ipsecspd module
Creating targeted ipsecspd.pp policy package
rm tmp/ipsecspd.mod tmp/ipsecspd.mod.fc
ipsecspd.pp installed
east #
 # get pluto going
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 echo 1 > /proc/sys/net/core/xfrm_acq_expires
east #
 ipsec auto --add labeled
"labeled": added IKEv2 connection
east #
 ipsec getpeercon_server -d 4300
PATH/sbin/ipsec: unknown IPsec command "getpeercon_server" ("ipsec help" for list)
east #
 echo "initdone"
initdone
east #
 ../../guestbin/ipsec-look.sh
east NOW
XFRM state:
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context system_u:system_r:sshd_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context system_u:system_r:sshd_t:s0-s0:c0.c1023 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 via 192.1.2.45 dev eth1
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east #
 >>>>>>>>>> post-mortem >>>>>>>>>>../../guestbin/post-mortem.sh
   PPID     PID    PGID     SID TTY        TPGID STAT   UID   TIME COMMAND
      1     550     550     550 ?             -1 Ssl      0   0:00 PATH/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
:
: checking shutting down pluto
:
ipsec whack --shutdown
pidof pluto
PASS: shutting down pluto
:
: checking core files
:
PASS: core files
:
: checking memory leaks
:
PASS: memory leaks
:
: checking reference leaks
:
PASS: reference leaks
:
: checking xfrm errors
:
PASS: xfrm errors
:
: checking state/policy entries
:
PASS: state/policy entries
:
: checking selinux audit records
:
type=AVC msg=audit(1695682886.466:213): avc:  denied  { setcontext } for  pid=550 comm="pluto" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=association permissive=1
FAIL: selinux audit records
saving rules in OUTPUT/post-mortem.east.audit2allow.rules
require {
	type sshd_t;
	type unconfined_service_t;
	class association setcontext;
}
#============= unconfined_service_t ==============
allow unconfined_service_t sshd_t:association setcontext;
:
: unload any selinux modules
:
Unloading ipsecspd
semodule -r ipsecspd
libsemanage.semanage_direct_remove_key: Removing last ipsecspd module (no other ipsecspd module exists at another priority).
east #
 
