On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: > I am working to get the labelled IPSec working, following Josh > Brindle's blog post > (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). > I just want to get the client and server running on loopback, using a > fully patched Fedora 10 machine. > > I have the following keyfile that I pass into setkey: > ---------- > spdflush; > > flush; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P in ipsec esp/transport//require; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P out ipsec esp/transport//require; > ---------- > > I enter the following commands: > > --- Terminal 1 --- > setenforce 0 > setkey -f <keyfile> > ./server > > --- Terminal 2 --- > # ./client 127.0.0.1 > getpeercon: Protocol not available > Received: Hello, (null) from (null) > > --- Terminal 1 --- > getsockopt: Protocol not available > server: got connection from 127.0.0.1, (null) > > Not sure what I am missing. I have installed ipsec-tools and started > /etc/init.d/racoon. > > Any help would be appreciated. IPSEC and loopback don't generally get along very well. Try: echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm Might want to also read through an old bug report on this issue, https://bugzilla.redhat.com/show_bug.cgi?id=218386 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
