> > Hi Mike, > > If you can live with only MLS label information you can use NetLabel/CIPSO > to > convey security attributes over the network, including localhost/loopback. > The problem is that the standard CIPSO protocol doesn't have a way to > convey > the SELinux type enforcement information so only the effective MLS > sensitivity label can be transferred over the network. Labeled IPsec does > work over localhost/loopback but as you can imagine it is not an elegant > solution. Which method you chose largely depends on your requirements, > typically the need for full TE information and performance. > Hi Paul, Thanks for your response. I do need the full TE information, so I tried to set up labeled IPSec over localhost/loopback. Have you done this before? I'm an IPSec novice. I'm trying to set up IPSec in transport mode, using raccoon to set up the SAs, but I don't seem to be getting SAs. I'm not sure why. Here is my raccoon.conf file and the file that I "setkey -f": raccoon.conf: path pre_shared_key "/root/ipsec/psk.txt"; remote anonymous { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 25.25.25.25 any address 127.0.0.1 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 127.0.0.1 any address 25.25.25.25 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } Setkey commands: spdflush; flush; spdadd 127.0.0.1 25.25.25.25 ip4 -ctx 1 1 "system_u:object_r:default_t:s0" -P in ipsec esp/transport//require; spdadd 25.25.25.25 127.0.0.1 ip4 -ctx 1 1 "system_u:object_r:default_t:s0" -P out ipsec esp/transport//require; Do you see errors? Thanks, Mike -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.