On Monday 16 October 2006 6:20 pm, Joy Latten wrote: > Paul, > > When ipsec policy is specified as: > > spdadd 9.3.189.57 9.3.192.210 any > -ctx 1 1 "system_u:object_r:passwd_t:s3" > -P out ipsec > esp/transport//require ah/transport//require; > > Since I specified both esp and ah protocols, > racoon created 4 SAs, 2 for esp and 2 for AH. > All four SAs created had the following security context: > security context: root:sysadm_r:ping_t:s0-s15:c0.c1023 > (A ping resulted in the SAs being created.) > > Hope this helps. Let me know if there is anything else I > can help with.
Hi Joy, Thanks, yes that does help. However, I have another question for you if you don't mind :) What happens when you have multiple SAs for a packet and the contexts don't match? Granted this is a common case but it should be possible. For example, what happens when you use manual keying to create two SAs, one AH and one ESP, with the same selectors but different contexts? Does the first transform "win"? Or the "last"? Is there an error or warning reported anywhere? -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
