Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 218386 - LSPP: labeled ipsec does not work over loopback
Summary: LSPP: labeled ipsec does not work over loopback
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools
Version: 5.0
Hardware: powerpc
OS: Linux
Target Milestone: ---
: ---
Assignee: Steve Conklin
QA Contact: Brian Brock
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
Reported: 2006-12-04 23:46 UTC by Joy Latten
Modified: 2007-11-30 22:07 UTC (History)
7 users (show)

Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-27 14:19:17 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch that allows racoon to negotiate wih itself over loopback. (deleted)
2007-04-06 00:30 UTC, Joy Latten
no flags Details | Diff

Description Joy Latten 2006-12-04 23:46:45 UTC
Description of problem:
When labeled ipsec is configured, cannot ping loopback.

Version-Release number of selected component (if applicable):
I am using lspp 56 kernel with RHEL5 beta1 refresh.

How reproducible:
All the time.

Steps to Reproduce:
1. echo 0 > /proc/sys/net/ipv4/confeth0/disable_policy
   echo 0 > /proc/sys/net/ipv4/confeth0/disable_xfrm
2. Use setkey to install the labeled ipsec config. 
   My labeled ipsec config is:
add esp 35590 -m transport
-ctx 1 1 "system_u:object_r:ping_t:s0-s15:c0.c1023"
-E 3des-cbc "06183223c23a21e8b36c566b";

spdadd any 
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P in ipsec

spdadd any 
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P out ipsec

3. ping 

Actual results:
The ping hangs.  

Expected results:
The ping to succeed

Additional info:
When I try this exact same config minus the security context, the ping works.
Thus I have concluded something is incorrect when using labels. 
I did not see any avc denied messages in my /var/log/audit/audit.log

Comment 1 Joy Latten 2006-12-05 00:13:39 UTC
I meant to add 2 more things.
1. That I am running selinux in permissive mode.
2. The ping does not hang but comes back with, "connect: No such process".
   This has led me to believe it cannot find the needed SA, although I have
   installed the SA.

I have also tried this on rhel5 beta2 with lspp56 kernel and get
the same results.

Comment 2 Joy Latten 2006-12-05 00:19:25 UTC
In step 1., it should read 
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm

Comment 3 RHEL Product and Program Management 2006-12-06 09:30:27 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 4 Issue Tracker 2006-12-12 16:13:22 UTC
----- Additional Comments From  2006-12-11 20:56 EDT
Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no longer
do a
"polmatch" check on the SA and policy. Instead, we do  
"if (fl->secid != state_sid)" check. This obsoleted my policy.

It is most likely that racoon will always negotiate the SA's correctly.
Racoon doesn't appear to be able to negotiate with itself for loopback to
though. So I think if you want to use labeled ipsec over loopback, you need

to make sure the SA's context exactly matches the flow's, when setting up

For ping over labeled ipsec, an SA with context,
"root:sysadm_r:ping_t:s0-s15:c0.c1023" worked 
for me. 

This event sent from IssueTracker by araghavan 
 issue 108572

Comment 5 Eric Paris 2007-01-05 20:19:45 UTC
Joy, can you remind me again where we stand with this?  I believe at one point
you were going to talk with the ipsec people about making racoon talk to itself
over loopback.  Did that go anywhere?  Can you help me get back up to date after
my brain rotted during vacation?

Comment 6 Joy Latten 2007-01-23 19:46:20 UTC
I queried the ipsec-tools list but did not get any helpful info. One person
stated they tried this a while back and could not get it to work. 

I started looking at the racoon code to see if it would be trivial to fix.
Did not get very far with this as I had other lspp development items at equal

Joe Nall has also been looking at the code and sent me a racoon patch he created
yesterday to look at. He says it needs more work. I will try and look at it
later today or tomorrow. 

Comment 8 Irina Boverman 2007-02-14 19:53:08 UTC
Per 2/12 discussion, Joy continues to work on a patch. 

Comment 9 Eric Paris 2007-02-15 20:46:11 UTC
As this is likely going to have to be a userspace patch to ipsec-tools adding
harald to ipsec-tools maintainer

Comment 10 Joy Latten 2007-02-20 18:34:29 UTC
Ran a 16 hour labeled ipsec stress test with the patched racoon.
Sent streams of packets over loopback as well as eth0 to a remote to test
how racoon would work in both schemes. 

While the stress tests completed successfully, I saw what I believe to be
unusual behaviour. SAs were being created twice instead of once. So I will
continue to work on this patch.

Comment 11 George C. Wilson 2007-04-02 20:07:14 UTC
Joy will run one more day of stress testing.

Comment 12 Eric Paris 2007-04-02 20:41:12 UTC
reassigning to harald.  jlatten should be attaching a patch for ipsec-tools very

Comment 13 Joy Latten 2007-04-03 22:45:36 UTC
I have sent the patch that started off as a proof of concept from Paul Moore to
th ipsec-tools community. I have been testing for last 24 hours without
problems, but will continue to test until I feel less wary. I also would like to
hear from ipsec-tools list.

Comment 14 Joy Latten 2007-04-06 00:30:28 UTC
Created attachment 151822 [details]
Patch that allows racoon to negotiate wih itself over loopback.

Patch sent to ipsec-tools list. Still awaiting feedback and acceptance.
This patch includes Paul Moore's proof of concept.

Comment 16 George C. Wilson 2007-04-09 20:14:32 UTC
Stress test over weekend with lspp.72 kernel and latest racoon leaks file
descriptors. Test ran 36 hours. See bug 235680.

Comment 17 George C. Wilson 2007-04-09 20:16:33 UTC
sgrubb: Got OK to build.

Comment 18 George C. Wilson 2007-04-10 15:35:27 UTC
Joy, this needs to be backported to RHEL5.

Comment 19 Steve Grubb 2007-04-10 20:33:58 UTC
built ipsec-tools-0.6.5-6.3 to address this issue.

Comment 20 George C. Wilson 2007-04-11 23:44:07 UTC
Joy, can you verify that this is fixed in a build? Thanks.

Comment 21 Joy Latten 2007-04-12 00:23:25 UTC
Ok, I just tried it and it appears to be working ok. However, I have not yet had
this accepted upstream and would rather not close this until it is accepted.

Comment 22 Issue Tracker 2007-06-27 17:32:28 UTC
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 108572

Note You need to log in before you can comment on or make changes to this bug.