This should fix the issues encountered today by Joy and Fernando at IBM with not
being able to use unlabeled IPSec policy/associations.
The following mls constraint (modified to allow use of unlabeled IPSec policy
rules
if TE policy allowed it) should be used in conjunction with this fix:
mlsconstrain association { polmatch }
((( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == unlabeled_t ));
--- linux-2.6.17.i686.patch11.3/include/linux/security.h 2006-07-06
10:33:07.000000000 -0500
+++ linux-2.6.17.i686.patch11.4/include/linux/security.h 2006-07-07
18:10:00.000000000 -0500
@@ -2989,6 +2989,8 @@ static inline int security_xfrm_state_al
static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 sid)
{
+ if (!polsec)
+ return 0;
return security_ops->xfrm_state_alloc_security(x, NULL, polsec, sid);
}
--- linux-2.6.17.i686.patch11.3/security/selinux/xfrm.c 2006-07-06
15:28:53.000000000 -0500
+++ linux-2.6.17.i686.patch11.4/security/selinux/xfrm.c 2006-07-07
18:34:37.000000000 -0500
@@ -212,8 +212,6 @@ static int selinux_xfrm_sec_ctx_alloc(st
if (!uctx)
goto not_from_user;
- BUG_ON(!uctx);
-
if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
return -EINVAL;
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
