Re: labeled network aware kernel

["Justin P. Mattock" <justinmattock@gmail.com>]

On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
> I am working to get the labelled IPSec working, following Josh
> Brindle's blog post
> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>  I just want to get the client and server running on loopback, using a
> fully patched Fedora 10 machine.
> 
> I have the following keyfile that I pass into setkey:
> ----------
> spdflush;
> 
> flush;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P in ipsec esp/transport//require;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P out ipsec esp/transport//require;
> ----------
> 
> I enter the following commands:
> 
> --- Terminal 1 ---
> setenforce 0
> setkey -f <keyfile>
> ./server
> 
> --- Terminal 2 ---
> # ./client 127.0.0.1
> getpeercon: Protocol not available
> Received: Hello, (null) from (null)
> 
> --- Terminal 1 ---
> getsockopt: Protocol not available
> server: got connection from 127.0.0.1, (null)
> 
> Not sure what I am missing.  I have installed ipsec-tools and started
> /etc/init.d/racoon.
> 
> Any help would be appreciated.
> 
> --Mark
> 
> 
> On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote:
> > Hi Mark,
> >
> > If interested, there are ietf drafts for labeled ipsec,
> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt
> > and
> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt.
> >
> > Also, I'd be happy to help by answering any questions.
> >
> > regards,
> > Joy Latten
> >
> > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote:
> >> I am looking at the IPSec-based labeled networking.
> >>
> >> BTW.  I will be at the Tresys Advanced Policy course next week.  Is
> >> any of this covered there?
> >>
> >> Thanks,
> >>
> >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
> >> > Josh's article talks about IPSec labeled networking (as well as using
> >> > SECMARK which provides firewall-level networking controls), as opposed to
> >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
> >> > and everything was there, so I'd imagine it's still there in F10. Just make
> >> > sure you install ipsec-tools.
> >> >
> >> > Chad Sellers
> >> >
> >> >
> >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
> >> >
> >> >> I am interested in experimenting with the labeled networking that SE
> >> >> Linux offers.  I am reading through Josh Brindle's blog
> >> >>
> >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
> >> >>
> >> >> My question is, how do I know if my kernel is capable of supporting
> >> >> this?  I am currently running Fedora 10 with all the latest updates
> >> >> but not sure how to check.
> >> >>
> >> >> Also if I compile a kernel from source, is there anything that needs
> >> >> to be done in the configuring of the kernel build to enable the
> >> >> labeled networking?
> >> >>
> >> >> Thanks,
> >> >> Mark
> >> >>
> >> >> --
> >> >> This message was distributed to subscribers of the selinux mailing list.
> >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> >> the words "unsubscribe selinux" without quotes as the message.
> >> >
> >> >
> >>
> >>
> >> --
> >> This message was distributed to subscribers of the selinux mailing list.
> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> the words "unsubscribe selinux" without quotes as the message.
> >
> >
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


ipsec is tricky(especially with the keys in
ipsec.conf)
For me I usually
would create(as a test) a machine
as the server running a shoutcast stream
then the client connecting, using etherape
as the eyes to see whats happening.
In you're case I'm not sure about using
one machine as a loop(better than trying to
run AH through NAT)

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.