[redhat-lspp] Re: Any updates on the labeled IPSec over loopback?

Joy Latten latten at austin.ibm.com
Tue Dec 12 15:18:37 UTC 2006 

On Tue, 2006-12-12 at 10:07 -0500, Paul Moore wrote:
> Joy Latten wrote:
> > On Mon, 2006-12-11 at 13:40 -0600, Joe Nall wrote:
> > 
> >>Joy,
> >>Any updates on the labeled IPSec over loopback? Is there anything we  
> >>can do to support?
> > 
> > 
> > Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no
> > longer do a "polmatch" check on the SA and Policy. Instead we do,
> > 	if (fl->secid != state_sid)
> > 		return 0;
> > 
> > Since racoon is not able to negotiate with itself, I have a manual
> > policy that I use to test loopback. Well, when the "polmatch" check 
> > was replaced with the above, this obsoleted or made incorrect,
> > my manual ipsec SA and policy for loopback. 
> > 
> > I think the above change is good and correct, but I think we should 
> > document that when using labeled ipsec, we highly recommend
> > using racoon since you need to know the flow->secid to label your SAs
> > correctly when doing it manual. 
> > 
> > Loopback may be an issue since I don't think racoon can negotiate
> > with itself. (at least I could not get it to.)
> > 
> > So, for loopback, when using ping, the SA context that worked for 
> > me was, "root:sysadm_r:ping_t:s0-s15:c0.c1023"
> 
> Okay, can you provide a simple example of what commands/config I need to be able
> to ping across loopback?  I would find that helpful and suspect others would as
> well ... or maybe I'm the only "slow" one ;)

Sorry, I thought I had sent it and realized I had only sent it to Joe.
Here is what I did to get ping to work over loopback with labeled ipsec.

NOTE: I hope to send the labeled ipsec policy changes soon. I keep
getting distracted but want to get it out asap.


I configure ipsec in sysadm_r role. 

In file, setkey.loopback, I have the following

add 127.0.0.1 127.0.0.1 esp 35590
-m transport -ctx 1 1 "root:sysadm_r:ping_t:s0-s15:c0.c1023"
-E 3des-cbc "06183223c23a21e8b36c566b"; 

spdadd 127.0.0.1 127.0.0.1 any -ctx 1 1
"system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P out ipsec esp/transport//require;

spdadd 127.0.0.1 127.0.0.1 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P in ipsec esp/transport//require;


1. Add SA and policy to kernel ipsec databases, manually with setkey.
	setkey -f setkey.loopback

2. Verify databases are setup.
	setkey -D  (to view SA Database)
	setkey -DP (to view SPD)

2. Enable loopback to use ipsec policy and xfrms.
	echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
	echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy

3. ping 127.0.0.1

Hopefully all should work. If not, let me know. You can do a "tcpdump -i
lo" to verify ESP packets are going across the loopback interface. 

Note: I use "screen" to enable several consoles so I can ping and do a
tcpdump.

Regards,
Joy

More information about the redhat-lspp mailing list