[redhat-lspp] Re: Any updates on the labeled IPSec over loopback?
Venkat Yekkirala
vyekkirala at trustedcs.com
Tue Dec 12 15:41:32 UTC 2006
> I think the above change is good and correct, but I think we should
> document that when using labeled ipsec, we highly recommend
> using racoon since you need to know the flow->secid to label your SAs
> correctly when doing it manual.
Well, one *should* know the context a process would be running
at anyway for SELinux policy writing purposes. Only, here one would
have to know the exact context including the user, role and mls portions
to use manually defined SAs. racoon would obviously be convenient.
>
> Loopback may be an issue since I don't think racoon can negotiate
> with itself. (at least I could not get it to.)
I haven't done the test myself but I believe you are correct. And for
this reason as well as the impracticality of setting up potentially
thousands of manual SAs (particularly in the MLS world where one
could be dealing with hundreds/thousands of compartments) I do not
believe labeled IPSec over loopback makes sense for the real world.
More information about the redhat-lspp
mailing list