[redhat-lspp] using ah and esp protocols in ipsec
Paul Moore
paul.moore at hp.com
Tue Oct 17 12:46:30 UTC 2006
On Monday 16 October 2006 7:56 pm, Klaus Weidner wrote:
> On Mon, Oct 16, 2006 at 05:20:46PM -0500, Joy Latten wrote:
> > When ipsec policy is specified as:
> >
> > spdadd 9.3.189.57 9.3.192.210 any
> > -ctx 1 1 "system_u:object_r:passwd_t:s3"
> > -P out ipsec
> > esp/transport//require ah/transport//require;
> >
> > Since I specified both esp and ah protocols,
> > racoon created 4 SAs, 2 for esp and 2 for AH.
> > All four SAs created had the following security context:
> > security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
> > (A ping resulted in the SAs being created.)
>
> Can you try establishing the SA by using a TCP connection instead of
> ping, for example from a "s2" or "s3" process in this case? Does that
> make any difference?
Another, sorta related concern, is the wrong SA still being used for
getpeercon()? If so that should probably be a bugzilla too.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list