> I think the above change is good and correct, but I think we should > document that when using labeled ipsec, we highly recommend > using racoon since you need to know the flow->secid to label your SAs > correctly when doing it manual.
Well, one *should* know the context a process would be running at anyway for SELinux policy writing purposes. Only, here one would have to know the exact context including the user, role and mls portions to use manually defined SAs. racoon would obviously be convenient. > > Loopback may be an issue since I don't think racoon can negotiate > with itself. (at least I could not get it to.) I haven't done the test myself but I believe you are correct. And for this reason as well as the impracticality of setting up potentially thousands of manual SAs (particularly in the MLS world where one could be dealing with hundreds/thousands of compartments) I do not believe labeled IPSec over loopback makes sense for the real world. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
