From: James Morris <jmorris@namei.org>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>,
Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
Paul Moore <paul.moore@hp.com>,
Chad Hanson <chanson@TrustedCS.com>
Subject: RE: [PATCH] Fix for IPsec leakage with SELinux enabled
Date: Mon, 2 Oct 2006 14:39:35 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.64.0610021429400.11840@d.namei> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF4DE@chaos.tcs.tcs-sec.com>
On Mon, 2 Oct 2006, Venkat Yekkirala wrote:
> This is indeed the "designed" and expected (for me) behavior.
This is a security hole. SELinux denies all access by default, so the
default behavior of this code is to allow all traffic to bypass IPsec.
You should not need to add a rule to 'allow' increased security.
> But I am
> beginning to see where this is perhaps NOT in line with the user
> expectation when the users have an IPSec policy rule that does NOT use
> labels.
> currently, EACH flow needing to use this rule MUST
> have SELinux policy "polmatch"ing the flow context (ftpd_t)
> to unlabeled_t (the implied in the absence of an explicit
> context on the IPSec policy rule) or the traffic would flow
> in clear text ("leaks" in user perception).
Plaintext leak is not a user perception, it's an absolute.
> What I propose we do is to do the polmatch check ONLY when
> there's an explicit label associated with the spd rule. Does
> this sound reasonable and correct in the larger SELinux context?
I think so.
> In cases where there's an explicit label on an spd rule like:
>
> spdadd 192.168.4.79 192.168.4.78 any -ctx 1 1
> "system_u:object_r:labeled_ipsec_t:s2-s4"
> -P out ipsec
> esp/transport//require;
>
> spdadd 192.168.4.78 192.168.4.79 any -ctx 1 1
> "system_u:object_r:labeled_ipsec_t:s2-s4"
> -P in ipsec
> esp/transport//require;
>
> then the current behavior (prior to this proposed patch) would be the
> desired behavior, i.e., a polmatch denial in the SELinux module just
> means that the flow isn't expected to undergo IPSec xfrms. IOW, there's
> no need to propagate -EACCES all the way back up. We could still propagate
> errors other than -EACCES if we like.
This needs to be handled within SELinux as far as possible, and errors
will generally need to be propagated back to the callers, as we don't know
what other LSMs might do, and errors unrelated to access control can be
returned.
- James
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2006-10-02 18:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-02 17:09 [PATCH] Fix for IPsec leakage with SELinux enabled Venkat Yekkirala
2006-10-02 18:39 ` James Morris [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-10-02 18:59 Venkat Yekkirala
2006-10-01 20:55 Venkat Yekkirala
2006-10-02 1:44 ` James Morris
2006-09-24 14:33 Is TCP over IPsec broken in 2.6.18? James Morris
2006-09-24 23:54 ` Herbert Xu
[not found] ` <20060925103836.GA13966@2ka.mipt.ru>
2006-09-25 11:27 ` Herbert Xu
2006-09-25 12:05 ` Evgeniy Polyakov
2006-09-30 5:06 ` James Morris
2006-09-30 5:14 ` James Morris
2006-09-30 11:15 ` Evgeniy Polyakov
2006-09-30 14:36 ` James Morris
2006-09-30 14:40 ` Evgeniy Polyakov
2006-09-30 14:44 ` James Morris
2006-10-01 6:27 ` [PATCH] Fix for IPsec leakage with SELinux enabled James Morris
2006-10-02 11:20 ` Evgeniy Polyakov
2006-10-02 13:31 ` James Morris
2006-10-02 13:42 ` Evgeniy Polyakov
2006-10-02 14:05 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0610021429400.11840@d.namei \
--to=jmorris@namei.org \
--cc=chanson@TrustedCS.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=johnpol@2ka.mipt.ru \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).