On Friday 15 February 2008 3:15:16 pm Clarkson, Mike R (US SSA) wrote: > I'm running the server client example that Joshua Brindle provided in > his article on labeled IPSec. ... > The output of the client and server show that the labels are being > sent over the loopback, but just to convince myself that the labeled > IPSec loopback was indeed being used, I flushed the SPDs and SADs > using "setkey -FP" and "setkey -F". Afterward, I get the following > output, which is expected when labeled IPSec is not being used: > > [mr_clarkson@blade5 test]$ ./brindle_server > getsockopt: Protocol not available > server: got connection from 127.0.0.1, (null) > > [mr_clarkson@blade5 test]$ ./brindle_client 127.0.0.1 > getpeercon: Protocol not available > Received: Hello, (null) from (null) > > I need the missing association rules (shown above) to be able to > apply MLS constraints on the connection between the client and > server. Any suggestions on how to fix this would be greatly > appreciated. The problem is that you removed all of the IPsec labeling rules from the SPD when you ran 'setkey -FP'. This means there is no IPsec processing taking place and hence no labeling. You should be able to flush the SAD as racoon will repopulate it on the fly, but clearing the SPD removes the IPsec configuration from the kernel which is something you probably didn't intend to do. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
