[redhat-lspp] Labeled IPsec and UDP ... not quite what I was expecting
Joy Latten
latten at austin.ibm.com
Wed Mar 28 01:02:38 UTC 2007
On Tue, 2007-03-27 at 20:00 -0400, Paul Moore wrote:
> Howdy,
>
> In the course of running some tests I ran into some behavior that I wasn't
> expecting, before I get to concerned about the problem I thought I would post
> something here to get the group's take on it ...
>
> The problem is that when I have system A sending UDP traffic to system B using
> labeled IPsec if it does not find an existing SA with a matching SELinux
> context it sends the packet without IPsec applied - even if there is an entry
> in the SPD which requires IPsec be applied to the traffic. I have not tested
> this yet with the lspp.71 kernel, but I see the problem on the lspp.70 kernel
> and I don't see anything in the changelog which would make me think this has
> been fixed. Please correct me if I'm wrong.
>
> To give a more concrete example, I am using a SPD entry similar to the
> following:
>
> spdadd 10.0.0.2 10.0.0.3[5300] udp
> -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> -P out ipsec ah/transport//require;
>
> Which should require traffic going from 10.0.0.2 to 10.0.0.3 over UDP port
> 5300 to have an AH transfrom applied using labeled IPsec. If the process on
> 10.0.0.2 is running in a domain with a MLS sensitivity label of "s0" then
> everything works as expected. If the process is running in a domain with a
> MLS sensitivity label of "s15:c0.c239" (or anything other than "s0" really)
> the traffic is sent out on the wire without any IPsec applied at all.
>
> I haven't filed a bug on this yet, I wanted to post this to the list first to
> make sure I'm not doing something incredible bone headed ... although the
> more I think about this the more I think we have a rather serious bug on our
> hands. Can anyone prove me wrong? Please?
>
Paul,
I think I know why this is happening. In your example, the policy has
a context of "system_u:object_r:ipsec_spd_t:s0", thus it will only work
at s0. Everything else will not match the policy and thus go out as
unlabeled because by default we allow unlabeled packets. (That is,
the boolean allow_unlabeled_packets is on by default. You must turn it
off if you don't want any unlabeled packets going out.) It should do
this for tcp and udp.
In my policy, I have a context of
"system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" to catch everything.
I tried it with my policy and sent udp packets and it worked ok.
Please try this and let me know if it does or doesn't work for you.
Joy
More information about the redhat-lspp
mailing list