[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Thu Mar 4 14:42:04 UTC 2021


New commits:
commit ddbdbcfb38f13550cfe83dda5531dc729389858d
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date:   Thu Mar 4 09:40:32 2021 -0500

    IKEv2: fix bug where the wrong label was used for SELinux policy checko
    
    * The bug was that `policy-label` (e.g. `ipsec_spd_t`) was used in place
      of the SELinux domain in the `TS_SECLABEL` payload in `TSr`.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 51d2c76f5f9755bf1c1f1f5fc443d68ba31282da
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date:   Thu Mar 4 09:31:50 2021 -0500

    IKEv2: fix bug where Initiator only sent a security label in TSi
    
    * Per IKEv2 labeled IPsec proposal (https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-04),
      both `TSi` and `TSr` contain a `TS_SECLABEL` payload when security
      labels are in use.
      ** For SELinux, the security label payloads in `TSi` and `TSr` should be
         identical.
    * Prior to this change, the Initiator did _not_ send a `TS_SECLABEL`
      payload as part of the `TSr` payload.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit f558273b73f1c40c779010cd75f1e9ac37acc8e8
Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
Date:   Thu Mar 4 09:31:18 2021 -0500

    IKEv2: don't use `policy-label` for a child SA
    
    * `policy-label` in a connection configuration, which is usually
      `ipsec_spd_t`, is only meant for Security Policy Database (SPD)
      entries.
    * Therefore, the `policy-label` should _not_ be used for the pair of
      child/IPsec SAs created as part of IKE_AUTH.
      ** We want security labels in child/IPsec SAs to be driven by
         Netlink ACQUIREs.
      ** If a connection with `policy-label` specified has `auto=start`,
         then there is no ACQUIRE with a label driving the creation of the
         child/IPsec SA pair.
         *** In this scenario, the child/IPsec SA pair that is created as
             part of IKE_AUTH should have _no_ security label.
             **** This behavior is what existed in the original IKEv1
                  labeled IPsec implementation.
             **** The child/IPsec SA pair without a security label won't be
    	      used in a SELinux labeled IPsec environment. This is
                  because every IP datagram will have a SELinux domain
                  associated with it meaning that none of the datagrams will
                  match the child/IPsec SA pair without a security label.
             **** Therefore, having the child/IPsec SA pair without a
                  security label is harmless.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 30f6c5a01e630f6073f91693810acc7a2546491b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 4 09:30:00 2021 -0500

    testing: rename ikev2-labeled-ipsec-03-mismatch -> ikev2-labeled-ipsec-04-no-label



More information about the Swan-commit mailing list