BTW, testing is still detecting unexpected audit records vis: https://testing.libreswan.org/v4.4-70-g291edd8b58-main/ikev2-labeled-ipsec-03-multi-acquires-enforced/OUTPUT/east.console.diff any ideas?
On Fri, 30 Apr 2021 at 22:05, Kavinda Wewegama < [email protected]> wrote: > > On 4/27/2021 8:08 PM, Paul Wouters wrote: > > On Tue, 27 Apr 2021, Wewegama, Kavinda wrote: > > > >> When FIPS is enabled, how does it affect Libreswan behavior besides > >> enforcing certain cryptographic properties/restrictions? > > > > That should be the only difference. If something is rejected because of > > FIPS, there will be a clear log message about it. > > > >> The reason I ask is because I am noticing child/IPsec SAs getting > >> unsynchronized between tunnel endpoints if FIPS is enabled and SELinux > >> Enforcing is turned on. In the past, I didn’t have issues with either > >> FIPS by itself or with SELinux Enforcing by itself, but the > >> combination isn’t working well. > > > > That does not sound like a FIPS related problem with libreswan if you > > don't see clearly logged reasons of issues? Is there perhaps other FIPS > > restrictions that might be affecting the system from other components? > > The issue wasn't FIPS related per se but tended to manifest more easily > with FIPS enabled: https://github.com/libreswan/libreswan/issues/441 > > My hypothesis for why I observed this behavior with FIPS enabled is > because enabling it triggers more chrony traffic which was not > permitted, i.e. pluto's SELinux domain did not have `setcontext` > permission against `chronyc_t`. But I don't have a way to confirm this. > > -Kavinda > > > > > Paul > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
