Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
From: James Morris <[EMAIL PROTECTED]> Date: Thu, 5 Oct 2006 16:58:31 -0400 (EDT) > On Tue, 3 Oct 2006, David Miller wrote: > > > The socket policy behavior deserves some scrutiny. I say this because > > if a matching socket policy is avoided due to security layer error, > > this could potentially make key manager problems very hard to > > diagnose. > > In this case, AVC denial messages would be logged to the audit log, so > there'd be an indication of what's going wrong. Ok. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, 3 Oct 2006, David Miller wrote: > The socket policy behavior deserves some scrutiny. I say this because > if a matching socket policy is avoided due to security layer error, > this could potentially make key manager problems very hard to > diagnose. In this case, AVC denial messages would be logged to the audit log, so there'd be an indication of what's going wrong. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
Evegeniy,
Please start with my patch which should actually address the issue
you were originally running into. I doubt that you were running into
the kind of errors that James' patch (which will need to be modified
to not treat -EACCES as an error to be propagated up the chain) would
handle.
Thanks,
venkat
> -Original Message-
> From: James Morris [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 04, 2006 8:00 AM
> To: Evgeniy Polyakov
> Cc: David S. Miller; Herbert Xu; netdev@vger.kernel.org; Stephen
> Smalley; Venkat Yekkirala; Paul Moore; Daniel J Walsh
> Subject: Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
>
>
> On Wed, 4 Oct 2006, Evgeniy Polyakov wrote:
>
> > Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686
> i686 i386 GNU/Linux
> > [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted
> > selinux-policy-targeted-2.3.17-2
> >
> > I get only this messages in audit.log when remote racoon tries to
> > connect to system with selinux enabled in enforcing mode:
> >
>
> I think the policy has just not been written for racoon, and
> it's being
> denied by deault (cd'd Dan Walsh).
>
> > type=AVC msg=audit(1159938297.845:625): avc: denied {
> polmatch } for
> > scontext=system_u:object_r:unlabeled_t:s0
> > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
> > type=AVC msg=audit(1159938297.845:626): avc: denied {
> polmatch } for
> > scontext=system_u:object_r:unlabeled_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> > type=AVC msg=audit(1159938307.837:627): avc: denied {
> polmatch } for
> > scontext=system_u:object_r:unlabeled_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> > type=AVC msg=audit(1159938317.838:628): avc: denied {
> polmatch } for
> > scontext=system_u:object_r:unlabeled_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> > type=AVC msg=audit(1159938327.839:629): avc: denied {
> polmatch } for
> > scontext=system_u:object_r:unlabeled_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> >
> > It is with your patch applied.
> > Should I try Venkat's or it is unrelated problem?
> >
> > > --
> > > James Morris
> > > <[EMAIL PROTECTED]>
> >
> >
>
> --
> James Morris
> <[EMAIL PROTECTED]>
>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, Oct 03, 2006 at 04:18:07PM -0700, David Miller wrote:
>
> As I review this patch I realize there is a question of
> semantics and prioritization here.
Indeed. Unfortunately I was doing other things at the time
sub-policies were introduced so I didn't pay attention to it.
After a quick look, it seems that the intention is to perform
some sort of recursive lookup (restricted to 2 levels only).
If that is the intention, perhaps we should try to come up
with a better mechansim because hard-coding a single level
of recursion for mobility is probably not the best solution
as this is just a special case of the general nested tunnel
problem.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Wed, 4 Oct 2006, Evgeniy Polyakov wrote:
> Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux
> [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-2.3.17-2
>
> I get only this messages in audit.log when remote racoon tries to
> connect to system with selinux enabled in enforcing mode:
>
I think the policy has just not been written for racoon, and it's being
denied by deault (cd'd Dan Walsh).
> type=AVC msg=audit(1159938297.845:625): avc: denied { polmatch } for
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
> type=AVC msg=audit(1159938297.845:626): avc: denied { polmatch } for
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> type=AVC msg=audit(1159938307.837:627): avc: denied { polmatch } for
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> type=AVC msg=audit(1159938317.838:628): avc: denied { polmatch } for
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
> type=AVC msg=audit(1159938327.839:629): avc: denied { polmatch } for
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
>
> It is with your patch applied.
> Should I try Venkat's or it is unrelated problem?
>
> > --
> > James Morris
> > <[EMAIL PROTECTED]>
>
>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 12:41:57PM -0400, James Morris ([EMAIL PROTECTED])
wrote:
> You can get recent policy packages via the devel repo, which I'd suggest
> if you're using development (or DIY) kernels.
[EMAIL PROTECTED] ~]# uname -a
Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux
[EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.17-2
I get only this messages in audit.log when remote racoon tries to
connect to system with selinux enabled in enforcing mode:
type=AVC msg=audit(1159938297.845:625): avc: denied { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
type=AVC msg=audit(1159938297.845:626): avc: denied { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938307.837:627): avc: denied { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938317.838:628): avc: denied { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938327.839:629): avc: denied { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
It is with your patch applied.
Should I try Venkat's or it is unrelated problem?
> --
> James Morris
> <[EMAIL PROTECTED]>
--
Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Tue, 3 Oct 2006, David Miller wrote: > I'm not saying either is wrong, I'm just pointing it out to make sure > this is intentional. > > The socket policy behavior deserves some scrutiny. I say this because > if a matching socket policy is avoided due to security layer error, > this could potentially make key manager problems very hard to > diagnose. Yep, the code needs to be reworked in general (Venkat is doing this). - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
From: James Morris <[EMAIL PROTECTED]> Date: Mon, 2 Oct 2006 10:27:13 -0400 (EDT) > Updated version of the patch, which return directly after a flow cache > lookup error in xfrm_lookup rather than returing via the cleanup path > (which was causing a spurious dst_release). > > This works for me, although I never saw the oops with the old patch. > > Evgeniy, let me know if this fixes the oops you're seeing. > > Signed-off-by: James Morris <[EMAIL PROTECTED]> As I review this patch I realize there is a question of semantics and prioritization here. For example, socket policies are handled such that if the security layer gives an error we behave as if the socket policy did not match. Whereas we handle sub vs. primary global policies differently. If we hit a sub-policy match, and we get a security layer error, we signal a full lookup failure instead of trying to see if there is a primary policy that the security layer likes. I'm not saying either is wrong, I'm just pointing it out to make sure this is intentional. The socket policy behavior deserves some scrutiny. I say this because if a matching socket policy is avoided due to security layer error, this could potentially make key manager problems very hard to diagnose. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
> > Can you look in /var/log/audit/audit.log ? (especially grep for
> > 'association' )
>
> Indeed.
>
> type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for
> pid=2213 comm="racoon" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
Ok, that's it.
> But then it is quite strange why FC5 2.6.17-1.2187_FC5smp works,
> are there some bindings to the kernel version?
> (my knowledge about selinux changes related to xfrm are somewhere
> between zero and void).
The SELinux policy is loosely bound to the kernel version. Generally, if
you run development kernels, you need development SELinux policy.
> > What version of SELinux policy are you using?
> >
> > i.e. $ rpm -q selinux-policy-targeted
>
> selinux-policy-targeted-2.3.7-2.fc5
Yep, that's ancient.
> I run it every day in cron and there are no updates at
>
> http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/
>
> behind my version.
You can get recent policy packages via the devel repo, which I'd suggest
if you're using development (or DIY) kernels.
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 12:13:45PM -0400, James Morris ([EMAIL PROTECTED])
wrote:
> On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
>
> > On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED])
> > wrote:
> > > Updated version of the patch, which return directly after a flow cache
> > > lookup error in xfrm_lookup rather than returing via the cleanup path
> > > (which was causing a spurious dst_release).
> > >
> > > This works for me, although I never saw the oops with the old patch.
> > >
> > > Evgeniy, let me know if this fixes the oops you're seeing.
> >
> > With enabled selinux in enforcing mode I can not even get messages to
> > racoon, i.e. tcpdump sees first message of the daemon, but racoon log
> > (with a lot of -d) is not changed.
> > With permissive mode everything works fine.
>
> I think this could be your security policy denying access (which is a
> strong suspicion, becuase you hit the problem easily and it requires a
> policy denial).
>
> Can you look in /var/log/audit/audit.log ? (especially grep for
> 'association' )
Indeed.
type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for
pid=2213 comm="racoon" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
But then it is quite strange why FC5 2.6.17-1.2187_FC5smp works,
are there some bindings to the kernel version?
(my knowledge about selinux changes related to xfrm are somewhere
between zero and void).
> What version of SELinux policy are you using?
>
> i.e. $ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.7-2.fc5
> If it's not very recent, like 2.3.16-9 or better, you may need to run a
> yum update.
I run it every day in cron and there are no updates at
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/
behind my version.
>
> - James
> --
> James Morris
> <[EMAIL PROTECTED]>
--
Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote: > On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED]) > wrote: > > Updated version of the patch, which return directly after a flow cache > > lookup error in xfrm_lookup rather than returing via the cleanup path > > (which was causing a spurious dst_release). > > > > This works for me, although I never saw the oops with the old patch. > > > > Evgeniy, let me know if this fixes the oops you're seeing. > > With enabled selinux in enforcing mode I can not even get messages to > racoon, i.e. tcpdump sees first message of the daemon, but racoon log > (with a lot of -d) is not changed. > With permissive mode everything works fine. I think this could be your security policy denying access (which is a strong suspicion, becuase you hit the problem easily and it requires a policy denial). Can you look in /var/log/audit/audit.log ? (especially grep for 'association' ) What version of SELinux policy are you using? i.e. $ rpm -q selinux-policy-targeted If it's not very recent, like 2.3.16-9 or better, you may need to run a yum update. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02
On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED]) wrote: > Updated version of the patch, which return directly after a flow cache > lookup error in xfrm_lookup rather than returing via the cleanup path > (which was causing a spurious dst_release). > > This works for me, although I never saw the oops with the old patch. > > Evgeniy, let me know if this fixes the oops you're seeing. With enabled selinux in enforcing mode I can not even get messages to racoon, i.e. tcpdump sees first message of the daemon, but racoon log (with a lot of -d) is not changed. With permissive mode everything works fine. It is possible that it is 2.6.18 only problem though, I will try previous kernels. -- Evgeniy Polyakov - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
