Re: [redhat-lspp] LSPP Development Telecon 08/21/2006 Minutes

Tue, 29 Aug 2006 09:45:19 -0700 

Quoting Paul Moore ([EMAIL PROTECTED]):
> For those of you using the latest versions of the netlabel_tools you can 
> specify specific per-domain CIPSO configurations with the following command 
> line (for older versions replace "map" with "mgmt"):
> 
>  # netlabelctl map add domain:<domain> protocol:cipsov4,<doi>
> 
> An example for the "unlabeled_t" domain using CIPSO doi #8 would be:
> 
>  # netlabelctl map add domain:unlabeled_t protocol:cipsov4,8

Ok, cool, that is in fact how we thought <doi> would be used.  However,
looking at the current code, this shouldn't work, as pointed out by
KaiGai (thanks KaiGai).  If you look at
security/selinux/xfrm.c:selinux_authorizable_ctx(),
it seems to enforce that doi == XFRM_SC_DOI_LSM.

Should that check be removed, or am I misremembering what that fn is
supposed to do?

Additionally, security/selinux/xfrm.c:selinux_xfrm_sec_ctx_alloc() says

        BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);

This currently works generally because XFRM_SC_ALG_SELINUX and
XFRM_SC_DOI_LSM are both #defined to 1.  But I assume either the check
should be removed altogether, or it should read

        BUG_ON(uctx->ctx_alg != XFRM_SC_ALG_SELINUX);

?  Patch below implementing my guesses.

thanks,
-serge

Subject: [PATCH] nethooks: fix some ctx_doi vs ctx_alg confusion

The security selinux_authorizable_ctx() function is claiming that
selinux will only authorize a single <doi>, which should be right.
Remove that check.

It is also using the wrong constant to enforce that selinux only
authorize it's own algs in selinux_xfrm_sec_ctx_alloc().  Fix up
the constant.

Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>

---

 security/selinux/xfrm.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

1ba0de675775d163bf34bca744ff3ea4bd35ad8a
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 6c985ce..4e22a0e 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -54,7 +54,6 @@
 static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
 {
        return (ctx &&
-               (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
                (ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
 }
 
@@ -104,7 +103,7 @@ static int selinux_xfrm_sec_ctx_alloc(st
        struct xfrm_sec_ctx *ctx;
 
        BUG_ON(!uctx);
-       BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+       BUG_ON(uctx->ctx_alg != XFRM_SC_ALG_SELINUX);
 
        if (uctx->ctx_len >= PAGE_SIZE)
                return -ENOMEM;
-- 
1.1.6

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to