>
> Hi Mike,
>
> If you can live with only MLS label information you can use
NetLabel/CIPSO
> to
> convey security attributes over the network, including
localhost/loopback.
> The problem is that the standard CIPSO protocol doesn't have a way to
> convey
> the SELinux type enforcement information so only the effective MLS
> sensitivity label can be transferred over the network. Labeled IPsec
does
> work over localhost/loopback but as you can imagine it is not an
elegant
> solution. Which method you chose largely depends on your
requirements,
> typically the need for full TE information and performance.
>
Hi Paul,
Thanks for your response. I do need the full TE information, so I tried
to set up labeled IPSec over localhost/loopback. Have you done this
before? I'm an IPSec novice. I'm trying to set up IPSec in transport
mode, using raccoon to set up the SAs, but I don't seem to be getting
SAs. I'm not sure why. Here is my raccoon.conf file and the file that I
"setkey -f":
raccoon.conf:
path pre_shared_key "/root/ipsec/psk.txt";
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 25.25.25.25 any address 127.0.0.1 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 127.0.0.1 any address 25.25.25.25 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Setkey commands:
spdflush;
flush;
spdadd 127.0.0.1 25.25.25.25 ip4
-ctx 1 1 "system_u:object_r:default_t:s0"
-P in ipsec esp/transport//require;
spdadd 25.25.25.25 127.0.0.1 ip4
-ctx 1 1 "system_u:object_r:default_t:s0"
-P out ipsec esp/transport//require;
Do you see errors?
Thanks,
Mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
