Quoting Paul Moore ([EMAIL PROTECTED]):
> Serge E. Hallyn wrote:
> > Quoting Paul Moore ([EMAIL PROTECTED]):
> >
> >>For those of you using the latest versions of the netlabel_tools you can
> >>specify specific per-domain CIPSO configurations with the following command
> >>line (for older versions replace "map" with "mgmt"):
> >>
> >> # netlabelctl map add domain:<domain> protocol:cipsov4,<doi>
> >>
> >>An example for the "unlabeled_t" domain using CIPSO doi #8 would be:
> >>
> >> # netlabelctl map add domain:unlabeled_t protocol:cipsov4,8
> >
> >
> > Ok, cool, that is in fact how we thought <doi> would be used. However,
> > looking at the current code, this shouldn't work, as pointed out by
> > KaiGai (thanks KaiGai). If you look at
> > security/selinux/xfrm.c:selinux_authorizable_ctx(),
> > it seems to enforce that doi == XFRM_SC_DOI_LSM.
> >
> > Should that check be removed, or am I misremembering what that fn is
> > supposed to do?
>
> Actually, I think you are confusing IPsec/IKE DOIs with CIPSO DOIs (or
> I'm confused <g>). A CIPSO DOI is not in any way related to an IPsec
> DOI, all CIPSO DOI processing should be handled in the NetLabel code;
> for more information on CIPSO DOI processing look at
> net/ipv4/cipso_ipv4.c in David Miller's net-2.6.19 git tree.
>
> Does this make sense?
Ah, yes, I was, and you are, thanks :)
However, at least the second part of my patch still stands :) Checking
the ipsec doi vs XFRM_SC_ALG_SELINUX is wrong.
Regarding the first piece of the patch (again attached), the question
then is, do we want to have the ipsec doi be predefined to
'XFRM_SC_DOI_LSM', or do we want it to be usable for separating ipsec
policy domains of interpretations?
thanks,
-serge
Subject: [PATCH] nethooks: fix some ctx_doi vs ctx_alg confusion
The security selinux_authorizable_ctx() function is claiming that
selinux will only authorize a single <doi>, which should be right.
Remove that check.
It is also using the wrong constant to enforce that selinux only
authorize it's own algs in selinux_xfrm_sec_ctx_alloc(). Fix up
the constant.
Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
---
security/selinux/xfrm.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
1ba0de675775d163bf34bca744ff3ea4bd35ad8a
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 6c985ce..4e22a0e 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -54,7 +54,6 @@
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
return (ctx &&
- (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}
@@ -104,7 +103,7 @@ static int selinux_xfrm_sec_ctx_alloc(st
struct xfrm_sec_ctx *ctx;
BUG_ON(!uctx);
- BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+ BUG_ON(uctx->ctx_alg != XFRM_SC_ALG_SELINUX);
if (uctx->ctx_len >= PAGE_SIZE)
return -ENOMEM;
--
1.1.6
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
