On Wednesday 13 February 2008 8:45:50 pm Clarkson, Mike R (US SSA) wrote: > Paul, > > Thanks for your help. I've got labeled IPSec working on the loopback > interface. I've still got some policy work to do to get everything > working like I want, but the labeled IPSec portion appears to be > working. > > The key was enabling XFRM as you mentioned below and updating my setkey > commands as follows: > > spdflush; > flush; > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s4:c0.c255" > -P in ipsec esp/transport//require; > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s4:c0.c255" > -P out ipsec esp/transport//require; > > The key differences are using 127.0.0.1 for both the src and dest > addresses, and using "any" for the upperspec. Glad to hear you got everything working. I forgot to mention this earlier, but in case you haven't seen it already Joshua Brindle wrote up a nice article on labeled IPsec which might help you with some of the policy pieces. * http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux Good luck and let us know if you run into any problems. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
