Eric Paris wrote:
> Where do we stand with labeled networking today?
>
> I published a kernel yesterday which is sorta close to having what we
> need for labeled networking. This kernel includes 3 patch sets.
>
> 1) netlabel changes to audit configuration changes
> 2) secid reconciliation patch set (9 patches) for secmark/ipsec
> 3) secid reconciliation patch to include netlabel
>
> to even be close to a usable kernel we still need
>
> 1) fix for packets intended for ipsec tunnels to not be clear text.
> Venkat indicated he had his own way he wanted to solve this problem on
> Monday but I did not see any updates today. This is a major problem
> which must get fixed somehow, soon.
> 2) ipsec configuration auditing. if we can do this in policy all the
> better. if not, I need a patch.
> 3) fix for netlabel caching race which can cause an opps. Can be worked
> around by using a sysctl (see the e-mail from paul moore)
> 4) fix for netlabel correctness in the same e-mail from paul he
> mentioned correctness issues in -v3 inside selinux-ip-postroute-last
Updates from the NetLabel side of the house:
I have patches for both #3 and #4 sitting on my disk. I've got a kernel
(based on the source RPMs you posted this morning) building right now
with the patch for #3, it should be done pretty soon. I want to let it
run overnight and if everything looks okay I'll post it to the lists.
The fix for patch #4 is probably just going to be a respin, i.e. "v4" of
the NetLabel secid reconciliation patch as I don't think the "v3"
version of the patch has made it into a tree yet (net-2.6 seems to be
missing?). For those who are curious attached is a diff between the
"v3" and upcoming "v4" patch. I'll post this once I have pushed out the
patch for #3 and have had time to test this.
--
paul moore
linux security @ hp
diff -u net-2.6/security/selinux/hooks.c net-2.6/security/selinux/hooks.c
--- net-2.6/security/selinux/hooks.c
+++ net-2.6/security/selinux/hooks.c
@@ -3750,22 +3750,23 @@
return 1;
if (!skb->secmark) {
+ struct sk_security_struct *sksec = skb->sk->sk_security;
u32 xfrm_sid;
u32 nlbl_sid;
- err = selinux_netlbl_skb_sid(skb, skb->secmark, &nlbl_sid);
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_sid ? xfrm_sid : sksec->sid,
+ &nlbl_sid);
if (err)
goto out;
- selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (nlbl_sid)
skb->secmark = nlbl_sid;
else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
+ else if (skb->sk)
skb->secmark = sksec->sid;
- }
}
err = avc_has_perm(skb->secmark, nf_secid, SECCLASS_PACKET,
@@ -3920,25 +3921,24 @@
family, addrp, len);
else {
if (!skb->secmark) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
u32 xfrm_sid;
u32 nlbl_sid;
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
err = selinux_netlbl_skb_sid(skb,
- skb->secmark,
- &nlbl_sid);
+ xfrm_sid ? xfrm_sid : sksec->sid,
+ &nlbl_sid);
if (err)
goto out;
- selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (nlbl_sid)
skb->secmark = nlbl_sid;
else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec =
- skb->sk->sk_security;
+ else if (skb->sk)
skb->secmark = sksec->sid;
- }
}
err = avc_has_perm(skb->secmark, SECINITSID_UNLABELED,
SECCLASS_PACKET, PACKET__FLOW_OUT, &ad);
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
