From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p1NL98ak004496 for ; Wed, 23 Feb 2011 16:09:08 -0500 Received: from g1t0028.austin.hp.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p1NL97qa002297 for ; Wed, 23 Feb 2011 21:09:07 GMT From: Paul Moore To: Steffen Klassert Subject: Re: [PATCH 02/10] selinux: Perform postroute access control checks after IPsec transfomations Date: Wed, 23 Feb 2011 16:02:54 -0500 Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov References: <20110214131651.GA15640@secunet.com> <1297884894.25079.12.camel@sifl> <20110222112334.GB20852@secunet.com> In-Reply-To: <20110222112334.GB20852@secunet.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Message-Id: <201102231602.54502.paul.moore@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tuesday, February 22, 2011 6:23:34 AM Steffen Klassert wrote: > On Wed, Feb 16, 2011 at 02:34:54PM -0500, Paul Moore wrote: > > Believe it or not, this code you are changing was done that way for a > > reason: compatibility, bug-for-bug compatibility :) > > As a selinux newbie, I'm well adviced to believe it :) > > > When the new ingress/egress controls were first introduced (check the > > archives, the patches were merged Jan 2008) the existing SELinux > > postroute code ran for every transform; this was obviously a bug that > > had persisted for some time, but considering the very strong desire to > > preserve any user/admin visible behavior, I did not fix this when I > > moved the old code up into selinux_ip_postroute_compat(). The good > > news, is that I didn't carryover this bug into the new egress controls > > as the IPsec transform check occurs before the egress controls are > > executed. > > > > So, a big NACK on this patch for compatibility reasons. In order to get > > the behavior you are looking for, make sure your policy enables the > > "network_peer_controls" policy capability. > > I just noticed that because I started with a dummy policy where I had > network_peer_controls disabled. I can easily live without that patch > of course. Ah, that would explain it. Were you using the dummy policy generated by scripts/selinux? If so, that might be a worthwhile patch to add that policy capability to the generated policy. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.