Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
From: James Morris <[EMAIL PROTECTED]> Date: Thu, 5 Oct 2006 16:58:31 -0400 (EDT) > On Tue, 3 Oct 2006, David Miller wrote: > > > The socket policy behavior deserves some scrutiny. I say this because > > if a matching socket policy is avoided due to security layer error, > > this could potentially make key manager problems very hard to > > diagnose. > > In this case, AVC denial messages would be logged to the audit log, so > there'd be an indication of what's going wrong. Ok. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, 3 Oct 2006, David Miller wrote: > The socket policy behavior deserves some scrutiny. I say this because > if a matching socket policy is avoided due to security layer error, > this could potentially make key manager problems very hard to > diagnose. In this case, AVC denial messages would be logged to the audit log, so there'd be an indication of what's going wrong. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
Evegeniy, Please start with my patch which should actually address the issue you were originally running into. I doubt that you were running into the kind of errors that James' patch (which will need to be modified to not treat -EACCES as an error to be propagated up the chain) would handle. Thanks, venkat > -Original Message- > From: James Morris [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 8:00 AM > To: Evgeniy Polyakov > Cc: David S. Miller; Herbert Xu; netdev@vger.kernel.org; Stephen > Smalley; Venkat Yekkirala; Paul Moore; Daniel J Walsh > Subject: Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 > > > On Wed, 4 Oct 2006, Evgeniy Polyakov wrote: > > > Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 > i686 i386 GNU/Linux > > [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted > > selinux-policy-targeted-2.3.17-2 > > > > I get only this messages in audit.log when remote racoon tries to > > connect to system with selinux enabled in enforcing mode: > > > > I think the policy has just not been written for racoon, and > it's being > denied by deault (cd'd Dan Walsh). > > > type=AVC msg=audit(1159938297.845:625): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association > > type=AVC msg=audit(1159938297.845:626): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938307.837:627): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938317.838:628): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938327.839:629): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > > > It is with your patch applied. > > Should I try Venkat's or it is unrelated problem? > > > > > -- > > > James Morris > > > <[EMAIL PROTECTED]> > > > > > > -- > James Morris > <[EMAIL PROTECTED]> > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, Oct 03, 2006 at 04:18:07PM -0700, David Miller wrote: > > As I review this patch I realize there is a question of > semantics and prioritization here. Indeed. Unfortunately I was doing other things at the time sub-policies were introduced so I didn't pay attention to it. After a quick look, it seems that the intention is to perform some sort of recursive lookup (restricted to 2 levels only). If that is the intention, perhaps we should try to come up with a better mechansim because hard-coding a single level of recursion for mobility is probably not the best solution as this is just a special case of the general nested tunnel problem. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Wed, 4 Oct 2006, Evgeniy Polyakov wrote: > Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux > [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted > selinux-policy-targeted-2.3.17-2 > > I get only this messages in audit.log when remote racoon tries to > connect to system with selinux enabled in enforcing mode: > I think the policy has just not been written for racoon, and it's being denied by deault (cd'd Dan Walsh). > type=AVC msg=audit(1159938297.845:625): avc: denied { polmatch } for > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association > type=AVC msg=audit(1159938297.845:626): avc: denied { polmatch } for > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > type=AVC msg=audit(1159938307.837:627): avc: denied { polmatch } for > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > type=AVC msg=audit(1159938317.838:628): avc: denied { polmatch } for > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > type=AVC msg=audit(1159938327.839:629): avc: denied { polmatch } for > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > It is with your patch applied. > Should I try Venkat's or it is unrelated problem? > > > -- > > James Morris > > <[EMAIL PROTECTED]> > > -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 12:41:57PM -0400, James Morris ([EMAIL PROTECTED]) wrote: > You can get recent policy packages via the devel repo, which I'd suggest > if you're using development (or DIY) kernels. [EMAIL PROTECTED] ~]# uname -a Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-2.3.17-2 I get only this messages in audit.log when remote racoon tries to connect to system with selinux enabled in enforcing mode: type=AVC msg=audit(1159938297.845:625): avc: denied { polmatch } for scontext=system_u:object_r:unlabeled_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association type=AVC msg=audit(1159938297.845:626): avc: denied { polmatch } for scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association type=AVC msg=audit(1159938307.837:627): avc: denied { polmatch } for scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association type=AVC msg=audit(1159938317.838:628): avc: denied { polmatch } for scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association type=AVC msg=audit(1159938327.839:629): avc: denied { polmatch } for scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association It is with your patch applied. Should I try Venkat's or it is unrelated problem? > -- > James Morris > <[EMAIL PROTECTED]> -- Evgeniy Polyakov - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, 3 Oct 2006, David Miller wrote: > I'm not saying either is wrong, I'm just pointing it out to make sure > this is intentional. > > The socket policy behavior deserves some scrutiny. I say this because > if a matching socket policy is avoided due to security layer error, > this could potentially make key manager problems very hard to > diagnose. Yep, the code needs to be reworked in general (Venkat is doing this). - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
From: James Morris <[EMAIL PROTECTED]> Date: Mon, 2 Oct 2006 10:27:13 -0400 (EDT) > Updated version of the patch, which return directly after a flow cache > lookup error in xfrm_lookup rather than returing via the cleanup path > (which was causing a spurious dst_release). > > This works for me, although I never saw the oops with the old patch. > > Evgeniy, let me know if this fixes the oops you're seeing. > > Signed-off-by: James Morris <[EMAIL PROTECTED]> As I review this patch I realize there is a question of semantics and prioritization here. For example, socket policies are handled such that if the security layer gives an error we behave as if the socket policy did not match. Whereas we handle sub vs. primary global policies differently. If we hit a sub-policy match, and we get a security layer error, we signal a full lookup failure instead of trying to see if there is a primary policy that the security layer likes. I'm not saying either is wrong, I'm just pointing it out to make sure this is intentional. The socket policy behavior deserves some scrutiny. I say this because if a matching socket policy is avoided due to security layer error, this could potentially make key manager problems very hard to diagnose. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote: > > Can you look in /var/log/audit/audit.log ? (especially grep for > > 'association' ) > > Indeed. > > type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for > pid=2213 comm="racoon" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association Ok, that's it. > But then it is quite strange why FC5 2.6.17-1.2187_FC5smp works, > are there some bindings to the kernel version? > (my knowledge about selinux changes related to xfrm are somewhere > between zero and void). The SELinux policy is loosely bound to the kernel version. Generally, if you run development kernels, you need development SELinux policy. > > What version of SELinux policy are you using? > > > > i.e. $ rpm -q selinux-policy-targeted > > selinux-policy-targeted-2.3.7-2.fc5 Yep, that's ancient. > I run it every day in cron and there are no updates at > > http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/ > > behind my version. You can get recent policy packages via the devel repo, which I'd suggest if you're using development (or DIY) kernels. -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 12:13:45PM -0400, James Morris ([EMAIL PROTECTED]) wrote: > On Mon, 2 Oct 2006, Evgeniy Polyakov wrote: > > > On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED]) > > wrote: > > > Updated version of the patch, which return directly after a flow cache > > > lookup error in xfrm_lookup rather than returing via the cleanup path > > > (which was causing a spurious dst_release). > > > > > > This works for me, although I never saw the oops with the old patch. > > > > > > Evgeniy, let me know if this fixes the oops you're seeing. > > > > With enabled selinux in enforcing mode I can not even get messages to > > racoon, i.e. tcpdump sees first message of the daemon, but racoon log > > (with a lot of -d) is not changed. > > With permissive mode everything works fine. > > I think this could be your security policy denying access (which is a > strong suspicion, becuase you hit the problem easily and it requires a > policy denial). > > Can you look in /var/log/audit/audit.log ? (especially grep for > 'association' ) Indeed. type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for pid=2213 comm="racoon" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association But then it is quite strange why FC5 2.6.17-1.2187_FC5smp works, are there some bindings to the kernel version? (my knowledge about selinux changes related to xfrm are somewhere between zero and void). > What version of SELinux policy are you using? > > i.e. $ rpm -q selinux-policy-targeted selinux-policy-targeted-2.3.7-2.fc5 > If it's not very recent, like 2.3.16-9 or better, you may need to run a > yum update. I run it every day in cron and there are no updates at http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/ behind my version. > > - James > -- > James Morris > <[EMAIL PROTECTED]> -- Evgeniy Polyakov - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote: > On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED]) > wrote: > > Updated version of the patch, which return directly after a flow cache > > lookup error in xfrm_lookup rather than returing via the cleanup path > > (which was causing a spurious dst_release). > > > > This works for me, although I never saw the oops with the old patch. > > > > Evgeniy, let me know if this fixes the oops you're seeing. > > With enabled selinux in enforcing mode I can not even get messages to > racoon, i.e. tcpdump sees first message of the daemon, but racoon log > (with a lot of -d) is not changed. > With permissive mode everything works fine. I think this could be your security policy denying access (which is a strong suspicion, becuase you hit the problem easily and it requires a policy denial). Can you look in /var/log/audit/audit.log ? (especially grep for 'association' ) What version of SELinux policy are you using? i.e. $ rpm -q selinux-policy-targeted If it's not very recent, like 2.3.16-9 or better, you may need to run a yum update. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED]) wrote: > Updated version of the patch, which return directly after a flow cache > lookup error in xfrm_lookup rather than returing via the cleanup path > (which was causing a spurious dst_release). > > This works for me, although I never saw the oops with the old patch. > > Evgeniy, let me know if this fixes the oops you're seeing. With enabled selinux in enforcing mode I can not even get messages to racoon, i.e. tcpdump sees first message of the daemon, but racoon log (with a lot of -d) is not changed. With permissive mode everything works fine. It is possible that it is 2.6.18 only problem though, I will try previous kernels. -- Evgeniy Polyakov - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html