Joy Latten wrote: > On Mon, 2006-12-11 at 13:40 -0600, Joe Nall wrote: > >>Joy, >>Any updates on the labeled IPSec over loopback? Is there anything we >>can do to support? > > > Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no > longer do a "polmatch" check on the SA and Policy. Instead we do, > if (fl->secid != state_sid) > return 0; > > Since racoon is not able to negotiate with itself, I have a manual > policy that I use to test loopback. Well, when the "polmatch" check > was replaced with the above, this obsoleted or made incorrect, > my manual ipsec SA and policy for loopback. > > I think the above change is good and correct, but I think we should > document that when using labeled ipsec, we highly recommend > using racoon since you need to know the flow->secid to label your SAs > correctly when doing it manual. > > Loopback may be an issue since I don't think racoon can negotiate > with itself. (at least I could not get it to.) > > So, for loopback, when using ping, the SA context that worked for > me was, "root:sysadm_r:ping_t:s0-s15:c0.c1023"
Okay, can you provide a simple example of what commands/config I need to be able to ping across loopback? I would find that helpful and suspect others would as well ... or maybe I'm the only "slow" one ;) Thanks. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
