[redhat-lspp] labeled ipsec status

Eric Paris eparis at redhat.com
Mon Jan 8 20:31:33 UTC 2007 

> 3. Toggle to accept or reject unlabeled packets.
> Dan has completed this. He added a boolean, allow_unlabeled_packets,
> to selinux policy. Currently, because of a problem in lspp60
> kernel, boolean does not work. I tested the boolean on
> upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean
> worked great and as expected. (See #5 below as to why
> it did not work in lspp60.)

can paul make sure this works for NetLabel as well (since 5 shouldn't be
applicable to NetLabel)?

> 
> 4. Labeled ipsec over loopback.
> Because racoon cannot talk to itself, dynamically, labeled SAs cannot
> be generated over loopback.
> I asked on ipsec-tools mailing list about this and it seems the 
> consensus was no one has gotten this to work with ikev1, that is,
> the current racoon.
> At some point Venkat and others had discussion about how to resolve this.

but right now we don't have a solution that is viable?  we can create
these associates by hand, but that's not really something we see as
reasonable and scalable right?

> 
> 5. Default beaviour to accept unlabeled packets.
> In lspp kernels (I need to check RHEl5 kernels) as soon as a
> single ipsec policy is entered, unlabeled packets are no longer
> accepted. This is contrary to selinux policy. (Thus why 
> Dan's toggle wouldn't work in lspp60.)
> I tested on an upstream kernel from kernel.org, 2.6.0-rc3-git4,
> with very same selinux policy and ipsec config and unlabeled
> pakces are still accepted. This is correct behaviour.
> Need to investigate what change has occurred between lspp kernel
> and upstream kernel from kernel.org to cause differen behaviours.

I'll hunt this down tomorrow.

> 6. IPv6
> Regular ipsec and labeled ipsec did not work over ipv6 in lspp 59
> kernel. Need to try in lspp60 kernel and latest upstream kernel,
> 2.6.10-rc3-git4.  Will open a bugreport.

please do

> 7. IPsec audit is complete. 
> There was a bugfix sent to linux-kernel last Monday. 
> Eric or Steve, I don't know if this bugfix has been accepted...
> if I need to open a bugreport to make sure you get it, please
> let me know.

Can you send me a link to the upstream submission you are talking about?

-Eric

More information about the redhat-lspp mailing list