On Mon, 2006-09-18 at 19:02 -0400, Joy Latten wrote: > The following adds Venkat's changes to racoon to understand > mls label. > > I have not yet thoroughly tested this patch. I have played with > it a little and have found that racoon won't establish an SA > when using ipsec without labels. The function, within_range() > appears to always assume there is a label. I am currently working > on fixing this. > > If you have any problems with this patch, please let me know. > > Basic steps to use:
This seems to work well. I set up spd entries on 1 side with passwd_t and that context was propagated to the other side with the sources MLS range. However, on the initiator side the SA's are also passwd_t so there is no way for the client to verify the context of the server. Also, it seems that while the initiator domain's mls range is propagated to the remote SA but if I change mls range (from s0 to s0:c1.c255) it uses the same SA (which the reciever will think is coming from an s0 domain).. This seems counter-intuitive. I'm trying to set up rules and spd entries to do what we were talking about before, multiple spd entries that are polmatched by different domains in order to get some functionality of domain context transfer but I'm running in to strange things like unconfined_t trying to polmatch on unconfined_t even though there are no spd rules with unconfined_t, is this expected? -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
