>On Mon, 2006-09-18 at 19:02 -0400, Joy Latten wrote: >> The following adds Venkat's changes to racoon to understand >> mls label. >> >> I have not yet thoroughly tested this patch. I have played with >> it a little and have found that racoon won't establish an SA >> when using ipsec without labels. The function, within_range() >> appears to always assume there is a label. I am currently working >> on fixing this. >> >> If you have any problems with this patch, please let me know. >> >> Basic steps to use: > >This seems to work well. I set up spd entries on 1 side with passwd_t >and that context was propagated to the other side with the sources MLS >range. > >However, on the initiator side the SA's are also passwd_t so there is no >way for the client to verify the context of the server. Also, it seems >that while the initiator domain's mls range is propagated to the remote >SA but if I change mls range (from s0 to s0:c1.c255) it uses the same SA >(which the reciever will think is coming from an s0 domain).. This seems >counter-intuitive.
I tried this using s0, s0:c0 and s0:c1.c255 in my policy. And no matter what, my SAs were always created with s0-s15:c0.c255. This is not correct to me. Let me investigate code and see what is up. > >I'm trying to set up rules and spd entries to do what we were talking >about before, multiple spd entries that are polmatched by different >domains in order to get some functionality of domain context transfer >but I'm running in to strange things like unconfined_t trying to >polmatch on unconfined_t even though there are no spd rules with >unconfined_t, is this expected? This is just as confusing as the earlier note with initrc_t trying to polmatch on initrc_t and using non-labeled ipsec. Something seems incorrect. I am not sure where this is coming from. I checked the code and could not find anywhere this should happen. In each access check for polmatch, target is security context in policy. What version of the kernel are you running? Regards, Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
