Paul Moore wrote: > On Monday 16 October 2006 6:20 pm, Joy Latten wrote: > >>Paul, >> >>When ipsec policy is specified as: >> >> spdadd 9.3.189.57 9.3.192.210 any >> -ctx 1 1 "system_u:object_r:passwd_t:s3" >> -P out ipsec >> esp/transport//require ah/transport//require; >> >>Since I specified both esp and ah protocols, >>racoon created 4 SAs, 2 for esp and 2 for AH. >>All four SAs created had the following security context: >>security context: root:sysadm_r:ping_t:s0-s15:c0.c1023 >>(A ping resulted in the SAs being created.) >> >>Hope this helps. Let me know if there is anything else I >>can help with. > > > Hi Joy, > > Thanks, yes that does help. However, I have another question for you if you > don't mind :) > > What happens when you have multiple SAs for a packet and the contexts don't > match? Granted this is a common case but it should be possible. For > example, what happens when you use manual keying to create two SAs, one AH > and one ESP, with the same selectors but different contexts? > > Does the first transform "win"? Or the "last"? Is there an error or warning > reported anywhere?
While looking at something else I think I found the answer in the selinux_xfrm_decode_session(): all of the SAs used on the packet must have the same context else -EINVAL is returned. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
