rpms/ipsec-tools/devel racoon-lspp-ipsec.patch, NONE, 1.1 ipsec-tools.spec, 1.32, 1.33
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Sep 25 14:46:13 UTC 2006
Author: harald
Update of /cvs/dist/rpms/ipsec-tools/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23568
Modified Files:
ipsec-tools.spec
Added Files:
racoon-lspp-ipsec.patch
Log Message:
- added patch for selinux integration (bug #207159)
racoon-lspp-ipsec.patch:
configure.ac | 1
src/racoon/cftoken.c | 1
src/racoon/isakmp_quick.c | 6 ++
src/racoon/pfkey.c | 42 ++++++++++++++--
src/racoon/policy.c | 8 ---
src/racoon/policy.h | 6 ++
src/racoon/proposal.c | 13 +----
src/racoon/security.c | 117 ++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 175 insertions(+), 19 deletions(-)
--- NEW FILE racoon-lspp-ipsec.patch ---
This is the latest in a series of racoon patches.
Upon testing racoon, it appeared racoon was still trying
to lookup policy with a security context, although
security contexts were not being used.
This patch includes fix for this problem.
Please replace any previous racoon patches, with this one.
This patch is against ipsec-tools-0.6.5-3.1 in rawhide.
Let me know if there are any problems.
Regards,
Joy Latten
----------------------------------------------------------------------------
diff -urpN ipsec-tools-0.6.5.orig/configure.ac ipsec-tools-0.6.5.0918/configure.ac
--- ipsec-tools-0.6.5.orig/configure.ac 2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/configure.ac 2006-09-18 03:29:40.000000000 -0500
@@ -620,6 +620,7 @@ if test "$enable_security_context" = "ye
AC_DEFINE([HAVE_SECCTX], [], [Enable Security Context])
SECCTX_OBJS="security.o"
AC_SUBST(SECCTX_OBJS)
+ LIBS="$LIBS -lselinux"
fi
fi
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/cftoken.c ipsec-tools-0.6.5.0918/src/racoon/cftoken.c
--- ipsec-tools-0.6.5.orig/src/racoon/cftoken.c 2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/cftoken.c 2006-09-18 02:57:23.000000000 -0500
@@ -1363,6 +1363,7 @@ char *yytext;
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
+#include "policy.h"
#include "proposal.h"
#include "nattraversal.h"
#ifdef GC
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c
--- ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c 2006-09-18 02:47:16.000000000 -0500
@@ -2128,5 +2128,11 @@ get_proposal_r(iph2)
return ISAKMP_INTERNAL_ERROR;
}
+#ifdef HAVE_SECCTX
+ if (spidx.sec_ctx.ctx_str) {
+ set_secctx_in_proposal(iph2, spidx);
+ }
+#endif /* HAVE_SECCTX */
+
return 0;
}
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/pfkey.c ipsec-tools-0.6.5.0918/src/racoon/pfkey.c
--- ipsec-tools-0.6.5.orig/src/racoon/pfkey.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/pfkey.c 2006-09-21 01:35:43.000000000 -0500
@@ -1672,6 +1672,10 @@ pk_recvacquire(mhp)
struct ph2handle *iph2[MAXNESTEDSA];
struct sockaddr *src, *dst;
int n; /* # of phase 2 handler */
+#ifdef HAVE_SECCTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif /* HAVE_SECCTX */
+ struct policyindex spidx;
/* ignore this message because of local test mode. */
if (f_local)
@@ -1691,6 +1695,24 @@ pk_recvacquire(mhp)
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+#ifdef HAVE_SECCTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
+ }
+#endif /* HAVE_SECCTX */
+
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1778,18 +1800,24 @@ pk_recvacquire(mhp)
/* get inbound policy */
{
- struct policyindex spidx;
+ memset(&spidx, 0, sizeof(spidx));
spidx.dir = IPSEC_DIR_INBOUND;
memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
spidx.prefs = sp_out->spidx.prefd;
spidx.prefd = sp_out->spidx.prefs;
spidx.ul_proto = sp_out->spidx.ul_proto;
+
#ifdef HAVE_SECCTX
- if (*sp_out->spidx.sec_ctx.ctx_str)
- memcpy(&spidx.sec_ctx, &sp_out->spidx.sec_ctx,
- sizeof(spidx.sec_ctx));
+ if (m_sec_ctx) {
+ spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
+ spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
+ spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
+ memcpy(spidx.sec_ctx.ctx_str,
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
+ spidx.sec_ctx.ctx_strlen);
+ }
#endif
sp_in = getsp(&spidx);
@@ -1877,6 +1905,12 @@ pk_recvacquire(mhp)
delph2(iph2[n]);
return -1;
}
+#ifdef HAVE_SECCTX
+ if (m_sec_ctx) {
+ set_secctx_in_proposal(iph2[n], spidx);
+ }
+#endif /* HAVE_SECCTX */
+
insph2(iph2[n]);
/* start isakmp initiation by using ident exchange */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.c ipsec-tools-0.6.5.0918/src/racoon/policy.c
--- ipsec-tools-0.6.5.orig/src/racoon/policy.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.c 2006-09-21 02:04:10.000000000 -0500
@@ -206,9 +206,7 @@ cmpspidxstrict(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
- || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
- a->sec_ctx.ctx_strlen) != 0))
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
return 1;
#endif
return 0;
@@ -284,9 +282,7 @@ cmpspidxwild(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
- || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
- a->sec_ctx.ctx_strlen) != 0))
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
return 1;
#endif
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.h ipsec-tools-0.6.5.0918/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.h 2006-09-18 03:05:08.000000000 -0500
@@ -35,6 +35,7 @@
#include <sys/queue.h>
#ifdef HAVE_SECCTX
+
#define MAX_CTXSTR_SIZE 50
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
@@ -146,6 +147,11 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_SECCTX
+#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
+extern int within_range __P((security_context_t, security_context_t));
+extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
+#endif
#endif /* _POLICY_H */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/proposal.c ipsec-tools-0.6.5.0918/src/racoon/proposal.c
--- ipsec-tools-0.6.5.orig/src/racoon/proposal.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/proposal.c 2006-09-18 02:47:16.000000000 -0500
@@ -1025,15 +1025,6 @@ set_proposal_from_policy(iph2, sp_main,
newpp->lifetime = iph2->sainfo->lifetime;
newpp->lifebyte = iph2->sainfo->lifebyte;
newpp->pfs_group = iph2->sainfo->pfs_group;
-#ifdef HAVE_SECCTX
- if (*sp_main->spidx.sec_ctx.ctx_str) {
- newpp->sctx.ctx_doi = sp_main->spidx.sec_ctx.ctx_doi;
- newpp->sctx.ctx_alg = sp_main->spidx.sec_ctx.ctx_alg;
- newpp->sctx.ctx_strlen = sp_main->spidx.sec_ctx.ctx_strlen;
- memcpy(newpp->sctx.ctx_str, sp_main->spidx.sec_ctx.ctx_str,
- sp_main->spidx.sec_ctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
if (lcconf->complex_bundle)
goto skip1;
@@ -1196,7 +1187,11 @@ set_proposal_from_proposal(iph2)
pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
pp_peer->sctx.ctx_strlen);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "RESPONDING with (%s).\n", pp_peer->sctx.ctx_str);
}
+
#endif /* HAVE_SECCTX */
if (pp_peer->next != NULL) {
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/security.c ipsec-tools-0.6.5.0918/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/security.c 2006-09-18 10:58:37.000000000 -0500
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2005 International Business Machines Corporation
+ * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -36,6 +37,12 @@
#include <stdio.h>
#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#include <selinux/context.h>
+
#include "var.h"
#include "vmbuf.h"
#include "misc.h"
@@ -45,6 +52,7 @@
#include "isakmp.h"
#include "ipsec_doi.h"
#include "policy.h"
+#include "proposal.h"
#include "strnames.h"
#include "handler.h"
@@ -150,3 +158,112 @@ get_security_context(sa, p)
}
return 0;
}
+
+void
+set_secctx_in_proposal(iph2, spidx)
+ struct ph2handle *iph2;
+ struct policyindex spidx;
+{
+ iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
+ iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
+ iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
+ memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
+ spidx.sec_ctx.ctx_strlen);
+}
+
+
+/*
+ * function: init_avc
+ * description: function performs the steps necessary to initialize the
+ * userspace avc.
+ * input: void
+ * return: 0 if avc was successfully initialized
+ * 1 if the avc could not be initialized
+ */
+
+static int
+init_avc(void)
+{
+ int rtn = 0;
+
+ if (!is_selinux_mls_enabled()) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ " enabled.\n");
+ return 1;
+ }
+
+ rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize avc.\n");
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * function: within_range
+ * description: function determines if the specified sl is within the
+ * configured range for a policy rule.
+ * input: security_context *sl SL
+ * char *range Range
+ * return: 1 if the sl is within the range
+ * 0 if the sl is not within the range or an error
+ * occurred which prevented the determination
+ */
+
+int
+within_range(security_context_t sl, security_context_t range)
+{
+ int rtn = 1;
+ security_id_t slsid;
+ security_id_t rangesid;
+ struct av_decision avd;
+ security_class_t tclass;
+ access_vector_t av;
+
+ if (!*range) /* This policy doesn't have security context */
+ return 1;
+
+ rtn = init_avc();
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: couldn't initialize the AVC\n");
+ return 0;
+ }
+
+ /*
+ * Get the sids for the sl and range contexts
+ */
+ rtn = avc_context_to_sid(sl, &slsid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for sl context (%s).\n", sl);
+ return 0;
+ }
+ rtn = avc_context_to_sid(range, &rangesid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for range context (%s).\n", range);
+ sidput(slsid);
+ return 0;
+ }
+
+ /*
+ * Straight up test between sl and range
+ */
+ tclass = SECCLASS_ASSOCIATION;
+ av = ASSOCIATION__POLMATCH;
+ rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+ if (rtn != 0) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "within_range: The sl is not within range\n");
+ sidput(slsid);
+ sidput(rangesid);
+ return 0;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "within_range: The sl (%s) is within range (%s)\n", sl, range);
+ return 1;
+}
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- ipsec-tools.spec 4 Aug 2006 09:19:17 -0000 1.32
+++ ipsec-tools.spec 25 Sep 2006 14:46:11 -0000 1.33
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.6.5
-Release: 4
+Release: 5
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -18,8 +18,10 @@
#Patch6: ipsec-tools-0.6.1-openssl-098.patch
Patch7: ipsec-tools-0.6.5-mls.patch
Patch8: ipsec-tools-0.6.5-pre6.patch
+Patch9: racoon-lspp-ipsec.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
+BuildRequires: libselinux-devel >= 1.30.28-2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: initscripts >= 7.31.11.EL-1
@@ -39,6 +41,7 @@
#%patch6 -p1 -b .openssl-098
%patch7 -p1 -b .mls
%patch8 -p1 -b .pre6
+%patch9 -p1 -b .sctx
mkdir -p kernel-headers/linux
cp %{SOURCE1} %{SOURCE2} %{SOURCE5} %{SOURCE6} kernel-headers/linux
@@ -97,6 +100,9 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Mon Sep 25 2006 Harald Hoyer <harald at redhat.com> - 0.6.5-5
+- added patch for selinux integration (bug #207159)
+
* Fri Aug 4 2006 Harald Hoyer <harald at redhat.com> - 0.6.5-4
- backport of important 0.6.6 fixes:
- sets NAT-T ports to 0 if no NAT encapsulation
More information about the fedora-cvs-commits
mailing list