On Sat, 30 Sep 2006, James Morris wrote:
> SELinux enabled is changed to permissive mode.
Ok, in the case where unencrypted packets are leaking, the problem is that
xfrm_lookup() is returning a false zero on a polmatch denial like:
avc: denied { polmatch } for scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
Follow the call back up from selinux_xfrm_policy_lookup(), when:
{
rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
ASSOCIATION__POLMATCH,
NULL);
return rc; <---- -EACCESS
}
Which is propagated back via
xfrm_policy_match()
xfrm_policy_lookup_bytype()
xfrm_policy_lookup()
to
int xfrm_lookup()
{
...
if (!policy) {
/* To accelerate a bit... */
if ((dst_orig->flags & DST_NOXFRM) ||
!xfrm_policy_count[XFRM_POLICY_OUT])
return 0;
policy = flow_cache_lookup(fl, dst_orig->ops->family,
dir, xfrm_policy_lookup);
}
if (!policy)
return 0; <---- returns
...
}
and the callers then allow the packet to proceed unencrypted.
It seems that some logic needs to be reworked to ensure that the real
error value is propagated back and returned via xfrm_lookup().
I was also seeing these AVCs when receiving ping requests:
avc: denied { sendto } for scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u :object_r:unlabeled_t:s0 tclass=association
Not sure if there are any deeper issues in this case: the callers need to
be audited.
- James
--
James Morris <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
