>Seems like we have a problem with current OpenSwan/IPSec stuff. > >I believe that some of these are bugs in the implementation. > >-------- Original Message -------- >Subject: How should we handle polmatch avcs? >Date: Sat, 23 Sep 2006 06:59:30 -0400 >From: Daniel J Walsh <[EMAIL PROTECTED]> >To: Stephen Smalley <[EMAIL PROTECTED]>, "Christopher J. PeBenito" ><[EMAIL PROTECTED]> > > > >https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207304 > >allow initrc_t self:association polmatch; >allow unlabeled_t initrc_t:association polmatch; >allow unlabeled_t self:association polmatch;
I have run across the last of the 3 rules, and believe we do need it. The first 2, I have not come across yet. The last rule will definitely be needed by selinux_xfrm_state_pol_flow_match() when sending unlabeled packets. Because, avc_has_perm() takes SA sid and policy sid to check. And when sending unlabeled packets, these will both be unlabeled_t. I am not very familiar with openswan or pluto. My guess is they do not contain modifications to use labeled ipsec. Thus this is running just plain non-labeled ipsec. The first two rules, I am not sure I understand where they are being required. Could not be the hook mentioned above, because in the case of unlabeled packets, policy and SA sids will always be unlabeled_t. The only other hook that uses polmatch is selinux_xfrm_policy_lookup() and avc_has_perm() checks flow sid and policy sid. Again, in the case of unlabeled packets, the policy sid should always be unlabeled_t. So, target will always be unlabeled_t... maybe some sort of transition happens? I added "polmatch" to kernel_sendrecv_unlabeled_association interface in kernel.if. Originally, the check in selinux_xfrm_policy_lookup() was for association:sendto recvfrom. This was changed with the introduction of the latest set of patches to labeled ipsec that introduced, polmatch. Thus I figured we needed to add "polmatch" here too. Also, selinux_xfrm_policy_lookup() will get called when an app wants to send a packet. It does an avc_has_perm() using flow sid as source and policy sid as target. I noticed that the flow_sid must sometimes be assigned the socket sid, because for a ping, my source sid aka flow_sid is ping_t. avc_has_perm() appears to check if ping_t can access unlabeled_t. Thus, apps sending unlabeled ipsec packets, will call selinux_xfrm_policy_lookup... so it seem easier to just add polmatch in this interface. This interface gets called by corenet_non_ipsec_sendrecv in corenetwork.if. I noticed most apps/daemons and init call corenet_non_ipsec_sendrecv. Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
