From: Paul Moore <paul.moore@hp.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH 08/10] selinux: Fix handling of kernel generated packets on labeled IPsec
Date: Wed, 23 Feb 2011 16:45:57 -0500 [thread overview]
Message-ID: <201102231645.58047.paul.moore@hp.com> (raw)
In-Reply-To: <20110222133150.GE20852@secunet.com>
On Tuesday, February 22, 2011 8:31:50 AM Steffen Klassert wrote:
> On Wed, Feb 16, 2011 at 03:57:27PM -0500, Paul Moore wrote:
> > On Mon, 2011-02-14 at 14:21 +0100, Steffen Klassert wrote:
> > > As it is, we require the security context of a labeled SA to be the
> > > same as the security context of the originating flow. On a nontrivial
> > > selinux policy the security context of the flow of kernel generated
> > > packets, like echo reply packets, are usually not equal to the
> > > security context of the labeled SA. So it is not possible to send
> > > such packets in this case. The fact that the security context of a
> > > labeled SA must be the same as the security context of the originating
> > > flow can also lead to problems if an outgoing SA is used for packet
> > > forwarding and for locally generated traffic.
> > >
> > > This patch fixes this by removing this equality check. Instead we
> > > ask the access vector cache if the security context of the SA is
> > > compatible to the security context of the IPsec policy. This
> > > partially reverts commit 67f83cbf081a70426ff667e8d14f94e13ed3bdca
> > >
> > > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> >
> > I think understand the problem you're running up against, and if I'm
> > understanding it correctly it is an inherent problem with the labeled
> > IPsec design - not something that we can fix.
>
> Hm, I think we need to get this to work. Echo reply packets are just
> one thing. Also other icmp messages can't be send. For example path mtu
> discovery can't work with labeled IPsec. And have you tried to use
> labeled IPsec on IPv6 networks? Kernel generated icmp messages are
> quite important here.
Yes, several years ago I worked on the IPsec stack for a commercial UNIX OS
and we had to basically allow all IPv6/ICMP in the SPD so that router/neighbor
discovery would work correctly. I believe that the specifications have now
evolved to allow type/code which would make this a bit easier now.
Why not just create a SPD rule that would send these ICMP packets over a
traditional, unlabeled SA? Am I missing something that would require them to
be sent over a labeled SA?
> > The core issue is that with labeled IPsec the packets themselves are not
> > labeled, the SAs are labeled instead. This means that in order to
> > accurately convey peer labels over the network you need to ensure that
> > the flow's label matches the SA label; this is why there is a direct SID
> > to SID comparison in the code. Failing to match a flow to the
> > associated SA will result in data being mis/relabeled which is a big
> > no-no.
>
> I still don't understand why this is necessary, would'nt it be also
> ok to enforce this with a policy rule? I have to think a bit longer
> about that...
Think about it some more and let me know if you are still having problems.
It is absolutely critical that the SA's label matches the peer's label
_exactly_. Once you understand how labeled IPsec conveys peer labels across
the network, you will understand why this is so important.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-02-23 21:46 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110214131651.GA15640@secunet.com>
2011-02-14 16:59 ` [PATCHSET RFC] selinux: rework labeled IPsec networking Paul Moore
[not found] ` <20110215121900.GA25769@secunet.com>
2011-02-16 0:02 ` Paul Moore
[not found] ` <20110221115403.GA20852@secunet.com>
2011-02-21 15:28 ` Paul Moore
[not found] ` <20110214131739.GB15640@secunet.com>
2011-02-16 19:18 ` [PATCH 01/10] selinux: Fix check for xfrm selinux context algorithm Paul Moore
[not found] ` <20110214131815.GC15640@secunet.com>
2011-02-16 19:34 ` [PATCH 02/10] selinux: Perform postroute access control checks after IPsec transfomations Paul Moore
[not found] ` <20110222112334.GB20852@secunet.com>
2011-02-23 21:02 ` Paul Moore
2011-02-28 7:29 ` Steffen Klassert
[not found] ` <20110214131855.GD15640@secunet.com>
2011-02-16 19:39 ` [PATCH 03/10] selinux: Remove checks for xfrm transformations from selinux_xfrm_postroute_last Paul Moore
[not found] ` <20110214131934.GE15640@secunet.com>
2011-02-16 19:46 ` [PATCH 04/10] selinux: Fix wrong checks for selinux_policycap_netpeer Paul Moore
[not found] ` <20110214132009.GF15640@secunet.com>
2011-02-16 20:11 ` [PATCH 05/10] selinux: selinux_xfrm_decode_session check for socket sid Paul Moore
[not found] ` <20110222121143.GC20852@secunet.com>
2011-02-23 21:16 ` Paul Moore
2011-02-25 19:21 ` Joy Latten
2011-02-28 10:25 ` Steffen Klassert
2011-02-28 8:51 ` Steffen Klassert
[not found] ` <20110214132049.GG15640@secunet.com>
2011-02-16 20:19 ` [PATCH 06/10] selinux: Fix packet forwarding checks on postrouting Paul Moore
[not found] ` <20110214132122.GH15640@secunet.com>
2011-02-16 20:32 ` [PATCH 07/10] selinux: Check receiving against sending interface on packet forwarding Paul Moore
[not found] ` <20110222130409.GD20852@secunet.com>
2011-02-23 21:34 ` Paul Moore
2011-02-28 9:10 ` Steffen Klassert
[not found] ` <20110214132157.GI15640@secunet.com>
2011-02-16 20:57 ` [PATCH 08/10] selinux: Fix handling of kernel generated packets on labeled IPsec Paul Moore
[not found] ` <20110222133150.GE20852@secunet.com>
2011-02-23 21:45 ` Paul Moore [this message]
2011-02-25 20:50 ` Joy Latten
2011-02-28 10:33 ` Steffen Klassert
2011-03-01 18:41 ` Paul Moore
[not found] ` <20110214132312.GK15640@secunet.com>
2011-02-16 21:08 ` [PATCH 10/10] selinux: Perform xfrm checks for unlabeled access in any case Paul Moore
[not found] ` <20110222135217.GF20852@secunet.com>
2011-02-23 21:59 ` Paul Moore
2011-02-28 11:34 ` Steffen Klassert
2011-03-01 18:42 ` Paul Moore
[not found] ` <20110214132234.GJ15640@secunet.com>
[not found] ` <1297889991.25079.46.camel@sifl>
2011-02-16 22:08 ` [PATCH 09/10] selinux: xfrm - notify users on dropped packets James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201102231645.58047.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.