[redhat-lspp] Re: Any updates on the labeled IPSec over loopback?
Joy Latten
latten at austin.ibm.com
Tue Dec 12 01:16:39 UTC 2006
On Mon, 2006-12-11 at 13:40 -0600, Joe Nall wrote:
> Joy,
> Any updates on the labeled IPSec over loopback? Is there anything we
> can do to support?
Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no
longer do a "polmatch" check on the SA and Policy. Instead we do,
if (fl->secid != state_sid)
return 0;
Since racoon is not able to negotiate with itself, I have a manual
policy that I use to test loopback. Well, when the "polmatch" check
was replaced with the above, this obsoleted or made incorrect,
my manual ipsec SA and policy for loopback.
I think the above change is good and correct, but I think we should
document that when using labeled ipsec, we highly recommend
using racoon since you need to know the flow->secid to label your SAs
correctly when doing it manual.
Loopback may be an issue since I don't think racoon can negotiate
with itself. (at least I could not get it to.)
So, for loopback, when using ping, the SA context that worked for
me was, "root:sysadm_r:ping_t:s0-s15:c0.c1023"
Regards,
Joy
More information about the redhat-lspp
mailing list