[redhat-lspp] lspp 63/labeled ipsec status

[Joy Latten]

lspp 63:

A stress test sending streams of tcpv4 and udpv4 packets 
successfully completed a 15.5 hours run for labeled ipsecv4.

I ran short tests sending a stream of tcpv6 packets over
regular ipsecv6 and labeled ipsecv6 and they completed successfully.
This is great on the ipv6 front as this test had not worked before.
(I think a config tweak and kernel fix in 63 were needed.)

Over the weekend I will run longer stress tests for regular ipv4
and for regular and labeled ipsecv6 to verify no regression in lspp 63
kernel. 

Resolved Issues in lspp 63.
- Can now receive unlabeled_t packets by default! Thanks, Venkat!!

Resolved Issues in latest selinux policy.
- The boolean, allow_unlabeled_packets, toggles whether to accept or
reject unlabeled packets. Thanks, Dan! 
- Setkey and racoon run in their on domains instead of sysadm domain. 

Outstanding issues for labeled ipsec:
1. labeled ipsec policy.
-Still need policy to polmatch, sendto and recvfrom
for associations. I will look over the previous patches I sent and
see how to shorten them so we can get this in. I do believe they
can be shortened.

2. labeled ipsec over loopback.
Started looking at racoon code to see how involved this is. 
I am still trying to determine how "doable" it is. So far,
I think this is a non-trivial piece of work.

4. Need to finish up and send out doc on using and configuring labeled
ipsec.
 
5. Noted in lspp 63 that tcpdump causes my kernel to crash and system to
go into the kernel debugger. Opened bugreport 223505. 
I use tcpdump a lot. :-)    

Anything I forgot?

Regards,
Joy