On Tuesday 27 March 2007 9:02:38 pm Joy Latten wrote: > I think I know why this is happening. In your example, the policy has > a context of "system_u:object_r:ipsec_spd_t:s0", thus it will only work > at s0. Everything else will not match the policy and thus go out as > unlabeled because by default we allow unlabeled packets. (That is, > the boolean allow_unlabeled_packets is on by default. You must turn it > off if you don't want any unlabeled packets going out.) It should do > this for tcp and udp.
That sounds reasonable, but I think it's rather misleading because TCP connections automatically generate a new SA with the correct context, at least doing the same thing as outlined in my original mail works with TCP. > In my policy, I have a context of > "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" to catch everything. > > I tried it with my policy and sent udp packets and it worked ok. > Please try this and let me know if it does or doesn't work for you. I will try this out when I get in to work tomorrow. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
