On Tuesday, March 27 2007 10:37:44 pm Paul Moore wrote: > On Tuesday 27 March 2007 9:02:38 pm Joy Latten wrote: > > I think I know why this is happening. In your example, the policy has > > a context of "system_u:object_r:ipsec_spd_t:s0", thus it will only work > > at s0. Everything else will not match the policy and thus go out as > > unlabeled because by default we allow unlabeled packets. (That is, > > the boolean allow_unlabeled_packets is on by default. You must turn it > > off if you don't want any unlabeled packets going out.) It should do > > this for tcp and udp. > > That sounds reasonable, but I think it's rather misleading because TCP > connections automatically generate a new SA with the correct context, at > least doing the same thing as outlined in my original mail works with TCP. > > > In my policy, I have a context of > > "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" to catch everything. > > > > I tried it with my policy and sent udp packets and it worked ok. > > Please try this and let me know if it does or doesn't work for you. > > I will try this out when I get in to work tomorrow.
I tried this (making the MLS range from SystemLow to SystemHigh) and it did work as you described. However, I'm still concerned that labeled IPsec treats TCP and UDP differently ... I don't want to be the one who has to explain this to users over and over again. Now I'm off to try the latest 2.6.20.x kernel. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
