/testing/guestbin/swan-prep
east #
 ipsec start
Redirecting to: [initsystem]
east #
 /testing/pluto/bin/wait-until-pluto-started
east #
 echo 1 > /proc/sys/net/core/xfrm_acq_expires
east #
 ipsec auto --add labeled
002 "labeled": added IKEv2 connection
east #
 runcon -t netutils_t ipsec getpeercon_server 4300 &
[x] PID
east #
 echo "initdone"
-> running as unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023
-> creating socket ... ok
-> listening on TCP port 4300 ... ok
-> waiting ... initdone
east #
 ../../pluto/bin/ipsec-look.sh
<- connect(192.1.2.45,system_u:object_r:ipsec_spd_t:s0)
   quit
-> connection closed
east NOW
XFRM state:
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context unconfined_u:unconfined_r:netutils_t:s0 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context unconfined_u:unconfined_r:netutils_t:s0 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority 1687486 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300
	security context unconfined_u:unconfined_r:netutils_t:s0
	dir out priority 1687486 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority 1687486 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 via 192.1.2.45 dev eth1
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east #
 ../bin/check-for-core.sh
east #
 if [ -f /sbin/ausearch ]; then ausearch -ts recent -m AVC | audit2allow ; fi
#============= ipsec_spd_t ==============
allow ipsec_spd_t netif_t:netif ingress;
allow ipsec_spd_t node_t:node recvfrom;
allow ipsec_spd_t self:association polmatch;
#============= netutils_t ==============
allow netutils_t bin_t:file entrypoint;
allow netutils_t ipsec_spd_t:peer recv;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow netutils_t shell_exec_t:file map;
allow netutils_t shell_exec_t:file execute;
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow netutils_t unreserved_port_t:tcp_socket name_bind;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow netutils_t usr_t:file map;
allow netutils_t usr_t:file { execute execute_no_trans };
#============= unconfined_service_t ==============
allow unconfined_service_t netutils_t:association setcontext;
east #
 
