[redhat-lspp] Re: Any updates on the labeled IPSec over loopback?
Joy Latten
latten at austin.ibm.com
Tue Dec 12 15:18:37 UTC 2006
On Tue, 2006-12-12 at 10:07 -0500, Paul Moore wrote:
> Joy Latten wrote:
> > On Mon, 2006-12-11 at 13:40 -0600, Joe Nall wrote:
> >
> >>Joy,
> >>Any updates on the labeled IPSec over loopback? Is there anything we
> >>can do to support?
> >
> >
> > Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no
> > longer do a "polmatch" check on the SA and Policy. Instead we do,
> > if (fl->secid != state_sid)
> > return 0;
> >
> > Since racoon is not able to negotiate with itself, I have a manual
> > policy that I use to test loopback. Well, when the "polmatch" check
> > was replaced with the above, this obsoleted or made incorrect,
> > my manual ipsec SA and policy for loopback.
> >
> > I think the above change is good and correct, but I think we should
> > document that when using labeled ipsec, we highly recommend
> > using racoon since you need to know the flow->secid to label your SAs
> > correctly when doing it manual.
> >
> > Loopback may be an issue since I don't think racoon can negotiate
> > with itself. (at least I could not get it to.)
> >
> > So, for loopback, when using ping, the SA context that worked for
> > me was, "root:sysadm_r:ping_t:s0-s15:c0.c1023"
>
> Okay, can you provide a simple example of what commands/config I need to be able
> to ping across loopback? I would find that helpful and suspect others would as
> well ... or maybe I'm the only "slow" one ;)
Sorry, I thought I had sent it and realized I had only sent it to Joe.
Here is what I did to get ping to work over loopback with labeled ipsec.
NOTE: I hope to send the labeled ipsec policy changes soon. I keep
getting distracted but want to get it out asap.
I configure ipsec in sysadm_r role.
In file, setkey.loopback, I have the following
add 127.0.0.1 127.0.0.1 esp 35590
-m transport -ctx 1 1 "root:sysadm_r:ping_t:s0-s15:c0.c1023"
-E 3des-cbc "06183223c23a21e8b36c566b";
spdadd 127.0.0.1 127.0.0.1 any -ctx 1 1
"system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P out ipsec esp/transport//require;
spdadd 127.0.0.1 127.0.0.1 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P in ipsec esp/transport//require;
1. Add SA and policy to kernel ipsec databases, manually with setkey.
setkey -f setkey.loopback
2. Verify databases are setup.
setkey -D (to view SA Database)
setkey -DP (to view SPD)
2. Enable loopback to use ipsec policy and xfrms.
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
3. ping 127.0.0.1
Hopefully all should work. If not, let me know. You can do a "tcpdump -i
lo" to verify ESP packets are going across the loopback interface.
Note: I use "screen" to enable several consoles so I can ping and do a
tcpdump.
Regards,
Joy
More information about the redhat-lspp
mailing list