On Wed, 2007-03-28 at 10:48 -0400, Paul Moore wrote: > On Tuesday, March 27 2007 10:37:44 pm Paul Moore wrote: > > On Tuesday 27 March 2007 9:02:38 pm Joy Latten wrote: > > > I think I know why this is happening. In your example, the policy has > > > a context of "system_u:object_r:ipsec_spd_t:s0", thus it will only work > > > at s0. Everything else will not match the policy and thus go out as > > > unlabeled because by default we allow unlabeled packets. (That is, > > > the boolean allow_unlabeled_packets is on by default. You must turn it > > > off if you don't want any unlabeled packets going out.) It should do > > > this for tcp and udp. > > > > That sounds reasonable, but I think it's rather misleading because TCP > > connections automatically generate a new SA with the correct context, at > > least doing the same thing as outlined in my original mail works with TCP. > > > > > In my policy, I have a context of > > > "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" to catch everything. > > > > > > I tried it with my policy and sent udp packets and it worked ok. > > > Please try this and let me know if it does or doesn't work for you. > > > > I will try this out when I get in to work tomorrow. > > I tried this (making the MLS range from SystemLow to SystemHigh) and it did > work as you described. However, I'm still concerned that labeled IPsec > treats TCP and UDP differently ... I don't want to be the one who has to > explain this to users over and over again. > > Now I'm off to try the latest 2.6.20.x kernel. >
Hmmmm... I am on lspp 70 kernel and policy version 38. I entered policy with following context, system_u:object_r:ipsec_spd_t:s0 I used nc to test both udp and tcp connections. My id on both machines is: uid=502(testuser) gid=502(testuser) groups=502(testuser) context=testuser_u:user_r:user_t:s15:c0.c239 tcp and udp are acting the same for me. Neither attempt resulted in an SA. I got avc denied msgs for "polmatch" permissions on the policy, thus leading to no policy being found and packets going out as unlabeled. How are you testing as far as user, commands, etc...? Perhaps I can try to duplicate your scenario. Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
