> 3. Toggle to accept or reject unlabeled packets. > Dan has completed this. He added a boolean, allow_unlabeled_packets, > to selinux policy. Currently, because of a problem in lspp60 > kernel, boolean does not work. I tested the boolean on > upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean > worked great and as expected. (See #5 below as to why > it did not work in lspp60.)
can paul make sure this works for NetLabel as well (since 5 shouldn't be applicable to NetLabel)? > > 4. Labeled ipsec over loopback. > Because racoon cannot talk to itself, dynamically, labeled SAs cannot > be generated over loopback. > I asked on ipsec-tools mailing list about this and it seems the > consensus was no one has gotten this to work with ikev1, that is, > the current racoon. > At some point Venkat and others had discussion about how to resolve this. but right now we don't have a solution that is viable? we can create these associates by hand, but that's not really something we see as reasonable and scalable right? > > 5. Default beaviour to accept unlabeled packets. > In lspp kernels (I need to check RHEl5 kernels) as soon as a > single ipsec policy is entered, unlabeled packets are no longer > accepted. This is contrary to selinux policy. (Thus why > Dan's toggle wouldn't work in lspp60.) > I tested on an upstream kernel from kernel.org, 2.6.0-rc3-git4, > with very same selinux policy and ipsec config and unlabeled > pakces are still accepted. This is correct behaviour. > Need to investigate what change has occurred between lspp kernel > and upstream kernel from kernel.org to cause differen behaviours. I'll hunt this down tomorrow. > 6. IPv6 > Regular ipsec and labeled ipsec did not work over ipv6 in lspp 59 > kernel. Need to try in lspp60 kernel and latest upstream kernel, > 2.6.10-rc3-git4. Will open a bugreport. please do > 7. IPsec audit is complete. > There was a bugfix sent to linux-kernel last Monday. > Eric or Steve, I don't know if this bugfix has been accepted... > if I need to open a bugreport to make sure you get it, please > let me know. Can you send me a link to the upstream submission you are talking about? -Eric -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
