On 4/27/2021 8:08 PM, Paul Wouters wrote:
On Tue, 27 Apr 2021, Wewegama, Kavinda wrote:
When FIPS is enabled, how does it affect Libreswan behavior besides
enforcing certain cryptographic properties/restrictions?
That should be the only difference. If something is rejected because of
FIPS, there will be a clear log message about it.
The reason I ask is because I am noticing child/IPsec SAs getting
unsynchronized between tunnel endpoints if FIPS is enabled and SELinux
Enforcing is turned on. In the past, I didn’t have issues with either
FIPS by itself or with SELinux Enforcing by itself, but the
combination isn’t working well.
That does not sound like a FIPS related problem with libreswan if you
don't see clearly logged reasons of issues? Is there perhaps other FIPS
restrictions that might be affecting the system from other components?
The issue wasn't FIPS related per se but tended to manifest more easily
with FIPS enabled: https://github.com/libreswan/libreswan/issues/441
My hypothesis for why I observed this behavior with FIPS enabled is
because enabling it triggers more chrony traffic which was not
permitted, i.e. pluto's SELinux domain did not have `setcontext`
permission against `chronyc_t`. But I don't have a way to confirm this.
-Kavinda
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
