[redhat-lspp] Labeled IPsec and UDP ... not quite what I was expecting
Eric Paris
eparis at parisplace.org
Wed Mar 28 01:19:48 UTC 2007
On Tue, 2007-03-27 at 20:00 -0400, Paul Moore wrote:
> Howdy,
>
> In the course of running some tests I ran into some behavior that I wasn't
> expecting, before I get to concerned about the problem I thought I would post
> something here to get the group's take on it ...
>
> The problem is that when I have system A sending UDP traffic to system B using
> labeled IPsec if it does not find an existing SA with a matching SELinux
> context it sends the packet without IPsec applied - even if there is an entry
> in the SPD which requires IPsec be applied to the traffic. I have not tested
> this yet with the lspp.71 kernel, but I see the problem on the lspp.70 kernel
> and I don't see anything in the changelog which would make me think this has
> been fixed. Please correct me if I'm wrong.
>
> To give a more concrete example, I am using a SPD entry similar to the
> following:
>
> spdadd 10.0.0.2 10.0.0.3[5300] udp
> -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> -P out ipsec ah/transport//require;
>
> Which should require traffic going from 10.0.0.2 to 10.0.0.3 over UDP port
> 5300 to have an AH transfrom applied using labeled IPsec. If the process on
> 10.0.0.2 is running in a domain with a MLS sensitivity label of "s0" then
> everything works as expected. If the process is running in a domain with a
> MLS sensitivity label of "s15:c0.c239" (or anything other than "s0" really)
> the traffic is sent out on the wire without any IPsec applied at all.
>
> I haven't filed a bug on this yet, I wanted to post this to the list first to
> make sure I'm not doing something incredible bone headed ... although the
> more I think about this the more I think we have a rather serious bug on our
> hands. Can anyone prove me wrong? Please?
Just to make sure it's not a boneheaded backport on my part of some of
venkat's old work can you see if it is the same on the latest upstream
kernel? Most all of the labeled net changes are in linus's tree now.
-Eric
More information about the redhat-lspp
mailing list