On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: > I am working to get the labelled IPSec working, following Josh > Brindle's blog post > (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). > I just want to get the client and server running on loopback, using a > fully patched Fedora 10 machine. > > I have the following keyfile that I pass into setkey: > ---------- > spdflush; > > flush; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P in ipsec esp/transport//require; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P out ipsec esp/transport//require; > ---------- > > I enter the following commands: > > --- Terminal 1 --- > setenforce 0 > setkey -f <keyfile> > ./server > > --- Terminal 2 --- > # ./client 127.0.0.1 > getpeercon: Protocol not available > Received: Hello, (null) from (null) > > --- Terminal 1 --- > getsockopt: Protocol not available > server: got connection from 127.0.0.1, (null) > > Not sure what I am missing. I have installed ipsec-tools and started > /etc/init.d/racoon. > > Any help would be appreciated. > > --Mark > > > On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@xxxxxxxxxxxxxx> wrote: > > Hi Mark, > > > > If interested, there are ietf drafts for labeled ipsec, > > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt > > and > > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt. > > > > Also, I'd be happy to help by answering any questions. > > > > regards, > > Joy Latten > > > > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote: > >> I am looking at the IPSec-based labeled networking. > >> > >> BTW. I will be at the Tresys Advanced Policy course next week. Is > >> any of this covered there? > >> > >> Thanks, > >> > >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@xxxxxxxxxx> wrote: > >> > Josh's article talks about IPSec labeled networking (as well as using > >> > SECMARK which provides firewall-level networking controls), as opposed to > >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 > >> > and everything was there, so I'd imagine it's still there in F10. Just make > >> > sure you install ipsec-tools. > >> > > >> > Chad Sellers > >> > > >> > > >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@xxxxxxxxx> wrote: > >> > > >> >> I am interested in experimenting with the labeled networking that SE > >> >> Linux offers. I am reading through Josh Brindle's blog > >> >> > >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > >> >> > >> >> My question is, how do I know if my kernel is capable of supporting > >> >> this? I am currently running Fedora 10 with all the latest updates > >> >> but not sure how to check. > >> >> > >> >> Also if I compile a kernel from source, is there anything that needs > >> >> to be done in the configuring of the kernel build to enable the > >> >> labeled networking? > >> >> > >> >> Thanks, > >> >> Mark > >> >> > >> >> -- > >> >> This message was distributed to subscribers of the selinux mailing list. > >> >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > >> >> the words "unsubscribe selinux" without quotes as the message. > >> > > >> > > >> > >> > >> -- > >> This message was distributed to subscribers of the selinux mailing list. > >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. ipsec is tricky(especially with the keys in ipsec.conf) For me I usually would create(as a test) a machine as the server running a shoutcast stream then the client connecting, using etherape as the eyes to see whats happening. In you're case I'm not sure about using one machine as a loop(better than trying to run AH through NAT) Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
